AD-A242  862 


LABORATORY  FOR 
COMPUTER  SCIENCE 


MASSACHUSETTS 
INSTITUTE  OF 
TECHNOLOGY 


MIT/LCS/TM-412.d 


USING  MAPPINGS 
TO  PROVE  TIMING 
PROPERTIES 


f 

..  Jt  ^ 

;rLF:cTE 
NOV  2?  1391  S 

■'yl?  P  t  ! 

it  ri  ibMta*rr 

y 


Nancy  Lynch 
Hagit  Attiya 


'i'hl.  d  -■.••irre-.t  has  be^n  approved 
}wi  pv, ■-hu  and  salf*;  its 

I  dictrl'ui'.tion  is  unlimiicd. 


91-16586 


October  1991 


545  TECHNOLOGY  SQUARE,  CAMBRIDGE,  MASSACHUSETTS  02139 


91  n  2h  I45 


REPORT  DOCUMENTATION  PAGE 


Form  Approved 
0MB  No.  0704-0188 


Puolic  rfoonmg  burden  ^or  collection  ot  intormation  estimated  to  t  ^'our  oer  response,  including  the  time  for  reviewing  instruaions.  searcning  existing  data  sources, 

gathering  and  maintaining  the  data  needed,  and  completing  ano  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this 
collection  ot  information,  including  suggestions  for  reducing  this  ourcen.  to  Washington  Headouarters  Services.  Oireaorate  for  information  Operations  and  Reports.  12 1S  Jefferson 
Oavis  Highway,  Suite  1204.  Arlington.  VA  22202-4302.  and  to  the  Office  of  'Management  and  Budget,  Paperworx  Reduction  Proiect  (0704-0188).  Washington.  DC  23503- 


1.  AGENCY  USE  ONLY  (Leave  blank) 


2.  REPORT  DATE 

October  1991 


2.  REPORT  TYPE  AND  DATES  COVERED 


4.  TITLE  AND  SUBTITLE 

Using  Mappings  to  Prove  Timing  Properties 

5.  FUNDING  NUMBERS 

6.  AUTHOR(S) 

Nancy  A.  Lynch,  Hagit  Attiya 

7.  PERFORMING  ORGANIZATION  NAME(S}  AND  AOORESS(ES) 

Massachusetts  Institute  of  Technology 

Laboratory  for  Computer  Science 

5A5  Technology  Square 

Cambridge,  MA  02139 

8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 

MIT/LCS/TM  412. d 

9.  SPONSORING/ MONITORING  AGENCY  NAME(S)  AND  AOORESS(ES) 

DARPA 

10.  SPONSORING /  MONITORING 
AGENCY  REPORT  NUMBER 

N00014-85-K-0168 

N00014-87-K-0825 

11.  SUPPLEMENTARY  NOTES 

12a.  DISTRIBUTION /AVAILABILITY  STATEMENT 

12b.  DISTRIBUTION  CODE 

13.  ABSTRACT  (Maximum  200  words) 


A  new  teclmique  for  proving  timing  properties  for  timing-based  algorithms  is  described;  it 
is  an  extension  of  the  mapping  techniques  previously  used  in  proofs  of  safety  properties  for 
asynchronous  concurrent  systems.  The  key  to  the  method  is  a  way  of  representing  a  system 
with  timing  constraints  as  an  automaton  whose  state  inclndes  predictive  timing  information. 
Timing  assumptions  and  timing  requirements  for  the  system  are  both  represented  in  this  way. 
A  multi-valued  mapping  from  the  “assumptions  automaton"  to  the  “requirements  automaton" 
is  then  used  to  show  that  the  given  system  satisfies  the  requirements.  One  type  of  mapping 
is  based  on  a  collection  of  “progress  functions”  providing  measures  of  progress  toward  timing 
goals.  The  technique  is  illustrated  with  two  examples,  a  simple  resource  manager  and  a  two- 
process  race  system. 


IS.  NUMBER  OF  PAGES 

tl,  AO 


le.  PRICE  CODE 


17.  SECURITY  CLASSIFICATION 
OF  REPORT 


SECURITY  CLASSIFICATION 
OF  THIS  PAGE 


19.  SECURITY  CLASSIFICATION 
OF  ABSTRACT 


20.  LIMITATION  OF  ABSTRACT 


MSN  7540-01-280-5500 


5tandard  Form  298  (Rev  2-89) 

PreKfibdd  by  anSi  Std  439-18 
298-102 


Using  Mappings  to  Prove  Timing  Properties* 


Nancy  A.  Lynch^  and  Ha^pt  Attiya^ 


^Laboratory  for  Compnter  Sdenoe,  MTT,  54B  Technoiogy  Square,  Cambridge,  MA  021S9 
^Department  of  Computer  Sdeacc,  The  Technioa,  Baifo  S2000,  ISRAEL 

*Tlua  work  wu  aupported  by  ONR  contracU  N00014-85-K-0ie8  and  N00014-91-J-1040,  by  NSF 
grant*  CCR-8811442  and  CCRr891520e,  and  by  DARPA  contracta  N00014-87-K-0826  and  N00014-89- 
J-1988. 


Abstract 


A  new  technique  for  proving  timing  properties  for  timing-based  algorithms  is  described;  it 
is  an  extension  of  the  mapping  techniques  previously  used  in  proofs  of  safety  properties  for 
asynchronous  concurrent  systems.  The  key  to  the  method  is  a  way  of  representing  a  system 
with  timing  constraints  as  an  automaton  whose  state  includes  predictive  timing  information. 
Timing  assumptions  and  timing  requirements  for  the  system  are  both  represented  in  this  way. 
A  multi-valued  mapping  from  the  "assumptions  automaton”  to  the  "requirements  automaton” 
is  then  used  to  show  that  the  given  system  satisfies  the  requirements.  One  type  of  mapping 
is  based  on  a  collection  of  "progress  functions”  providing  measures  of  progress  toward  timing 
goals.  The  technique  is  illustrated  with  two  examples,  a  simple  resource  manager  and  a  two- 
process  race  system. 

Keywords:  Timing  properties,  timing-based  algorithms,  formal  specification,  formal  verifi¬ 
cation,  assertional  reasoning,  possibilities  mappings,  timed  automata,  I/O  automata,  progress 
functions. 


1  Introduction 


Assertional  reasoning  is  a  useful  technique  for  proving  safety  properties  of  sequential  and 
concurrent  algorithms.  This  proof  method  involves  describing  the  algorithm  of  interest  as  a 
state  machine,  and  defining  a  predicate  known  as  an  assertion  on  the  states  of  the  machine. 
One  proves  inductively  that  the  assertion  is  true  of  all  the  states  that  are  reachable  in  a 
computation  of  the  machine,  t.e.,  that  it  is  an  invariant  of  the  machine.  The  assertion  is 
defined  so  that  it  implies  the  safety  property  to  be  proved.  Assertional  reasoning  is  a  rigorous, 
simple  and  general  proof  technique.  Furthermore,  the  usertions  usually  provide  an  intuitively 
appealing  explanation  of  why  the  algorithm  satisfies  the  property. 

One  kind  of  assertional  reasoning  uses  a  mapping  to  describe  a  correspondence  between 
the  given  algorithm  and  a  higher-level  algorithm  used  as  a  specification  of  correctness.  (See, 
for  example,  [15,  19,  23].)  Such  mappings  may  be  single-valued  or  multi-valued. 

So  far,  assertional  reasoning  has  been  used  primarily  to  prove  properties  of  sequential 
algorithms  and  synchronous  and  asynchronous  concurrent  algorithms.  We  would  also  like 
to  use  this  technique  to  prove  properties  of  concurrent  algorithms  whose  operation  depends 
on  time,  e.g.,  ones  that  arise  in  real-time  systems  or  ones  that  rely  on  clocks  that  tick  at 
approximately  known  rates.  Also,  the  kinds  of  properties  generally  proved  using  assertional 
reasoning  have  been  “ordinary”  safety  properties;  we  would  like  to  use  similar  methods  to 
prove  timing  properties  (upper  and  lower  bounds  on  time)  for  algorithms  that  have  timing 
assumptions.  Predictable  performance  is  often  a  desirable  characteristic  of  real-time  systems 
[38];  assertional  techniques  could  be  very  helpful  in  proving  such  performance  properties. 

In  this  paper,  we  describe  one  way  in  which  assertional  reasoning  can  be  used  to  prove  tim¬ 
ing  properties  for  algorithms  that  have  timing  assumptions.  Our  method  involves  constructing 
a  multi-valued  mapping  from  an  automaton  representing  the  given  algorithm  to  another  au¬ 
tomaton  representing  the  timing  requirements.  The  key  to  our  method  is  a  way  of  representing 
a  system  with  timing  constraints  as  an  automaton  whose  state  includes  predictive  timing  infor¬ 
mation.  Timing  assumptions  and  timing  requirements  for  the  system  are  both  represented  in 
this  way,  and  the  mappings  we  construct  map  from  the  “assumptions  automaton”  to  the  “re¬ 
quirements  automaton”.  One  type  of  mapping  is  based  on  a  collection  of  “progress  functions” 
providing  measures  of  progress  toward  timing  goals. 

We  describe  our  method  in  terms  of  the  timed  automaton  model,  a  slight  variant  of  the 
time  constrained  automaton  model  of  [27].  We  use  this  model  to  state  the  requirements  to  be 
satisfied,  to  define  the  basic  architectural  and  timing  assumptions,  to  describe  the  algorithms, 
and  to  prove  their  correctness  and  timing  properties.  A  timed  automaton  is  a  pair  (A,b), 
consisting  of  an  I/O  automaton  [23,  24],  A,  together  with  a  boundmap,  6,  which  is  a  formal 
description  of  the  timing  assumptions  for  the  components  of  the  system.  A  timed  automaton 
generates  a  set  of  timed  executions  which  describe  the  operation  of  the  algorithm,  and  a  cor¬ 
responding  set  of  timed  behaviors  which  describe  the  algorithm’s  extemally-visible  activity.  In 
this  paper,  a  timed  automaton  (A,  b)  is  used  to  describe  the  given  system  (including  its  timing 
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assumptions),  and  another  timed  automaton  {A',b')  is  used  to  describe  the  correctness  and 
timing  requirements. 

While  convenient  for  specifying  timing  assumptions  and  requirements,  timed  automata  are 
not  directly  suited  for  carrying  out  assertional  proofs  about  timing  properties,  because  timing 
properties  are  described  externally  (by  boundmaps)  rather  than  being  built  into  the  automaton 
itself.  We  therefore  introduce  a  way  of  incorporating  timing  conditions  into  an  automaton 
definition.  For  a  given  timed  automaton  (i4, 6),  we  define  the  automaton  time{A,  b)  to  be  an 
ordinary  I/O  automaton  (not  a  timed  automaton)  whose  state  includes  predictive  information 
describing  the  first  and  last  times  at  which  various  events  can  next  occur;  this  information  is 
designed  to  enforce  the  timing  conditions  expressed  by  the  boundmap  b.  The  I/O  automaton 
time{A,  b)  is  related  to  the  timed  automaton  (A,  b)  in  that  a  certain  subset  of  the  behaviors 
of  ttme(A,6),  which  we  call  the  “admissible”  behaviors,  is  exactly  equal  to  the  set  of  timed 
behaviors  of  (A,  ft). 

We  apply  this  construction  to  both  the  system  description  (A,  6)  and  the  requirements 
description  (A',  6');  our  “assumptions  automaton”  is  defined  to  be  time{A,  b)  and  our  “require¬ 
ments  automaton”  is  time{A' ,b').  Then  the  problem  of  showing  that  a  given  algorithm  (A,  6) 
satisfies  the  timing  requirements  zimounts  to  that  of  showing  that  any  admissible  behavior  of 
the  automaton  ttme(A,fr)  is  also  an  admissible  behavior  of  time{A' ,b').  We  do  this  by  using 
invariant  assertion  techniques;  in  particular,  we  demonstrate  a  multi-valued  mapping  from 
states  of  time{A,  b)  to  states  of  time{A\  b'). 

We  define  a  special  class  of  multi-valued  mappings  that  appears  to  be  especially  useful. 
Each  such  mapping  is  defined  by  a  collection  of  inequalities  relating  the  time  bounds  to  be 
proved  (those  expressed  by  b')  to  the  values  of  a  collection  of  “progress  functions”  defined  on 
the  states  of  time{A,b).  These  progress  functions  provide  upper  and  lower  bound  measures 
of  progress  toward  the  timing  goals  expressed  by  V .  These  functions  generalize  the  notion 
of  progress  function  commonly  used  to  prove  termination  of  sequential  programs  and  asyn¬ 
chronous  conctirrent  programs  (see,  e.g.,  the  description  of  the  method  of  well-founded  sets 
in  [26]),  to  allow  real- valued  rather  than  just  discrete  measures,  and  to  allow  proofs  of  lower 
bounds  as  well  as  upper  bounds. 

In  order  to  demonstrate  the  use  of  our  technique,  we  apply  it  to  two  examples.  The  first 
example  is  a  simple  timing-dependent  resource  granting  system,  consisting  of  two  concurrently- 
operating  components,  a  clock  and  a  manager.  The  manager  monitors  the  dock  ticks,  which 
occur  at  an  approximately  known  rate,  and  whenever  a  certain  number  have  occurred,  it  grants 
the  resource.  We  prove  upper  and  lower  bounds  on  the  amount  of  time  prior  to  the  first  grant 
and  between  each  successive  pair  of  grants. 

The  second  example  involves  one  process  incrementing  a  counter  until  another  process 
modifies  a  flag,  and  then  decrementing  the  counter.  When  the  counter  reaches  0,  the  first 
process  announces  that  it  is  done.  We  show  upper  and  lower  bounds  on  the  time  until  the 
“done”  announcement  occurs. 

Technically,  map^lug  techniques  of  the  sort  used  in  this  paper  are  only  capable  of  proving 
safety  properties,  but  not  liveness  properties.  Timing  properties  have  aspects  of  both  safety 
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and  liveness.  A  timing  lower  bound  asserts  that  an  event  cannot  occur  before  a  certain  amount 
of  time  has  elapsed;  a  violation  of  this  property  is  detectable  after  a  finite  prefix  of  a  timed 
execution,  and  so  a  timing  lower  bound  can  be  regarded  as  a  safety  property.  A  timing  upper 
bound  asserts  that  an  event  must  occur  before  a  certain  sunount  of  time  has  elapsed.  This 
can  be  regarded  as  making  two  separate  claims:  that  the  designated  amount  of  time  does  in 
fact  elapse  (a  liveness  property),  and  that  this  amount  of  time  cannot  elapse  without  the  event 
having  occurred  (a  safety  property).  In  this  paper,  we  assume  the  liveness  property  that  time 
increases  without  bound,  so  that  all  the  remaining  properties  that  need  to  be  proved  in  order 
to  prove  either  upper  or  lower  time  bounds  are  safety  properties.  Thus,  our  mapping  technique 
provides  complete  proofs  for  timing  properties  without  requiring  any  additional  techniques  for 
arguing  liveness. 

There  has  been  some  prior  work  on  using  assertional  reasoning  to  prove  timing  properties. 
In  particular,  Haase  [9],  Hooman  [11],  Shankar  and  Lam  [35],  Tel  [39],  Schneider  [34],  Lewis 
[17],  Abadi  and  Lamport  [2, 16],  Lamport  and  Neumann  [29]  and  Shaw  [36]  have  aU  developed 
models  for  timing-based  systems  that  incorporate  time  information  into  the  state,  and  have 
used  invariant  assertions  to  prove  timing  properties.  In  [39]  and  [17],  in  fact,  the  information 
that  is  included  is  similar  to  ours  in  that  it  is  also  predictive  timing  information  (but  not  exactly 
the  same  information  as  ours).  None  of  this  work  has  been  based  on  mappings,  however. 

Lynch  and  Vaandrager  [25]  describe  a  wide  range  of  mapping  proof  techniques  for  timing- 
based  systems,  in  the  setting  of  a  very  general  timed  automaton  model.  One  of  the  techniques 
considered  there,  forward  simtdation^  is  very  umilar  to  our  general  multi-valued  mapping 
method.  However,  the  model  in  [25]  has  less  structure  than  the  one  considered  here;  in  par¬ 
ticular,  it  lacks  the  component  structure  that  is  needed  to  describe  our  progress  function 
technique. 

Several  other,  quite  different  formal  approaches  to  proving  timing  properties  have  also  been 
developed,  based  on  state  machines  (e.^.,  [8]),  first-order  logic  (e.y.,  [12,  13]),  temporal  logic 
{e.g.,  [3,  6,  10,  30,  32]),  Petri  nets  (e.y.,  [7,  37])  and  process  algebras  (e.g.,  [14,  40]).  (See  the 
survey  by  Ostroff  [31].) 

An  earlier  version  of  this  paper  appears  in  [21]. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2  contains  a  description  of  the  under¬ 
lying  formal  models:  I/O  automata  and  timed  automata.  Section  3  contains  the  construction 
used  to  incorporate  timing  conditions  into  I/O  automata,  and  some  basic  properties  of  these 
automata.  Section  4  contains  our  definitions  for  mappings  and  for  collections  of  progress 
functions,  and  shows  that  the  enstence  of  such  mappings  and  collections  imply  that  a  ^ven 
algorithm  satisfies  a  given  set  of  timing  requirements.  Section  5  contains  our  examples,  the 
simple  resource-granting  system  and  the  two-process  race  system.  For  each  of  these  examples, 
this  section  contains  a  description  of  the  system,  a  description  of  the  corresponding  require¬ 
ments  automaton,  and  a  correctness  proof  using  mappings.  We  conclude  with  a  discussion  in 
Section  6. 
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2  Formal  Model 


In  this  section,  we  present  the  definitions  for  the  underlying  formal  model.  In  particular,  we 
define  I/O  automata,  timed  automata  and  timing  conditions.  We  also  present  some  of  their 
relevant  properties. 


2.1  I/O  Automata 


We  begin  by  summarizing  some  of  the  key  definitions  for  the  I/O  automaton  model.  We  refer 
the  reader  to  [23,  24]  for  a  complete  presentation  of  the  model  and  its  properties. 

An  I/O  automaton,  A,  consists  of  the  following  pieces:  acfs(A),  a  set  of  fictions,  classified 
as  output,  input  and  internal  (input  and  output  actions  are  called  external)-,  states{A),  a  set  of 
states,  including  a  distinguished  subset,  start{A),  of  start  states;  steps{A),  a  set  of  steps,  where 
a  step  is  defined  to  be  a  {state,  action,  state)  triple;  and  part{A),  a  partition  of  the  locally 
controlled  (output  and  internal)  actions  into  equivalence  classes;  the  partition  groups  together 
actions  that  are  to  be  thought  of  as  under  the  control  of  the  same  underlying  process. 

An  action  ir  is  sud  to  be  enabled  in  a  state  s'  provided  that  there  is  a  step  of  the  form 
(s',T,s).  An  automaton  is  required  to  be  input  enabled,  which  means  that  every  input  action 
must  be  enabled  in  every  state.  For  any  set  11  C  acts{A),  we  denote  by  enabled{A,'n.)  the  set 
of  states  of  A  in  which  some  action  in  11  is  enabled,  and  by  disabled{A,Tl)  be  the  set  of  all 
states  of  A  not  in  enabled{A,Tl),  that  is,  disabled{A,ll)  =  states{A)  \  enabled{A,E).  We  use 
the  term  event  to  refer  to  an  occurrence  of  an  action  in  a  sequence. 


An  execution  fragment  of  an  I/O  automaton  A  is  a  sequence  (finite  or  infinite)  of  alternating 
states  and  actions 


*0>  •  •  •  »  •  •  • 


where  for  every  t,  (3i_i,ir<,s,)  e  steps{A).  (If  the  sequence  is  finite,  then  it  is  required  to  ?ad 
with  a  state.)  An  execution  is  an  execution  fragment  with  Sq  £  start{A).  The  schedule  of  an 
execution  a  is  the  subsequence  of  a  consisting  of  all  the  events  appearing  in  a,  and  the  behavior 
of  a  is  the  subsequence  consisting  of  all  the  external  events.  The  schedules  smd  behaviors  of  A 
are  just  those  of  the  executions  of  A.  An  extended  step  is  a  triple  (s',/3,s)  for  which  there  is 
an  execution  fragment  that  starts  and  ends  with  s'  and  s,  respectively,  and  whose  schedule  is 
0- 


Concurrent  systems  are  modeled  by  compositions  of  I/O  automata,  as  defined  in  [23, 24].  In 
order  to  be  composed,  automata  must  be  strongly  compatible;  this  means  that  no  action  can  be 
an  output  of  more  than  one  component,  that  internal  actions  of  one  component  are  not  shared 
by  any  other  component,  and  that  no  action  is  shared  by  infinitely  many  components.  The 
result  of  such  a  composition  is  another  I/O  automaton.  The  hiding  operator  ciin  be  applied  to 
reclassify  output  actions  as  internal  actions. 


V 


4 


2.2  Timed  Automata 


In  this  subsection,  we  augment  the  I/O  automaton  model  to  allow  discussion  of  timing  prop¬ 
erties.  The  treatment  here  is  similar  to  the  one  described  in  [5]  and  is  a  special  case  of  the 
definitions  proposed  in  [27].  A  boundmap  for  an  I/O  automaton  A  is  a  a  mapping  that  asso¬ 
ciates  a  closed  subinterval  of  [0,  oo]  with  each  class  in  part{A),  where  the  lower  bound  of  each 
interval  is  not  oo  and  the  upper  bound  is  nonzero.  Intuitively,  the  interval  associated  with  a 
class  C  by  the  boundmap  represents  the  range  of  possible  lengths  of  time  between  successive 
times  when  C  “gets  a  chance”  to  perform  an  action.  We  sometimes  use  the  notation  biifi)  to 
denote  the  lower  bound  assigned  by  boundmap  b  to  class  C,  and  bu(C)  for  the  corresponding 
upper  bound.  A  timed  automaton  is  a  pair  (A,  6),  where  A  is  an  I/O  automaton  and  6  is  a 
boundmap  for  A. 

We  require  notions  of  “timed  execution”,  “timed  schedule”  and  “timed  behavior”  for  timed 
automata,  corresponding  to  executions,  schedules  and  behaviors  for  ordinary  I/O  automata. 
These  will  all  include  time  information.  We  begin  by  defining  the  basic  type  of  sequence  that 
underlies  the  definition  of  a  timed  execution. 

Definition  2.1  A  timed  sequence  (for  an  I/O  automaton  A)  is  a  (finite  or  infinite)  sequence 
of  alternating  states  and  (action,  time)  pairs, 

satisfying  the  following  conditions. 

1.  The  states  Sq,  si,  ...  are  in  states{A). 

2.  The  actions  Xi,  Xj,...  ore  in  acts{A). 

3.  The  times  ti,  tj,...  are  successively  nondecreasing  nonnegative  real  numbers. 

4.  If  the  sequence  is  finite,  then  it  ends  in  a  state  Si. 

5.  If  the  sequence  is  infinite  then  the  times  are  unbounded. 

For  a  given  timed  sequence,  we  use  the  convention  that  to  =  0.  For  any  finite  timed 
sequence  a,  we  define  endHme{a)  to  be  the  time  of  the  last  event  in  a,  if  a  contiuns  any 
(action,time)  pairs,  or  0,  if  a  contains  no  such  pairs.  Also,  we  define  ertdstate(a)  to  be  the  last 
state  in  a.  We  denote  by  ord(a)  (the  “ordinary”  part  of  a)  the  sequence 

i.e.,  a  with  time  information  removed. 

If  t  is  a  nonnegative  integer  and  C  €  par^(A),  we  say  that  t  is  an  tmttal  index  for  C  in  a  if 
Si  €  enabled{A,C)  and  either  t  =  0  or  Si_i  €  disabled(A,C)  or  Xj  €  C.  Thus,  an  initial  index 
for  class  C  is  the  index  of  an  event  at  which  C  becomes  enabled;  it  indicates  a  point  in  a  from 
which  we  will  begin  measuring  upper  and  lower  time  bounds. 
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Definition  2.2  Suppose  (A,  6)  is  a  timed  automaton.  Then  a  timed  sequence  a  is  a  timed 
execution  of  (^4,6)  provided  that  ord{a)  is  an  execution  of  A  and  a  satisfies  the  following 
conditions,  for  each  class  C  G  part{A)  and  every  initial  index  i  for  C  in  a. 

1.  If  b,t{C)  <  oo  then  there  exists  j  >  i  with  tj  <  U  +  b,t{C)  such  that  either  Tj  £  C  or 
Sj  €  disabled{A,C). 

2.  There  does  not  exist  j  >  i  with  tj  KU  bt{C)  and  in  C. 

The  first  condition  says  that,  starting  from  an  initial  index  for  C,  within  time  b^,{C)  either 
some  action  in  C  occurs  or  there  is  a  point  at  which  no  such  action  is  enabled.  Note  that  if 
6u(C)  =  00,  no  upper  bound  requirement  is  imposed.  The  second  condition  says  that,  again 
starting  from  an  initial  index  for  C,  no  action  in  C  can  occur  before  time  bt[C)  heis  elapsed. 
Note  in  particular  that  if  a  class  C  becomes  disabled  and  then  enabled  once  again,  the  lower 
bound  calculation  gets  “restarted”  at  the  point  where  the  class  becomes  re-enabled. 

The  timed  schedule  of  a  timed  execution  of  a  timed  automaton  (i4,  b)  is  the  subsequence 
consisting  of  the  (action,time)  pairs,  and  the  timed  behavior  is  the  subsequence  consisting  of  the 
(action,time)  pairs  for  which  the  action  is  external.  The  timed  schedules  and  timed  behaviors 
of  {A,  b)  are  just  those  of  the  timed  executions  of  (i4, 6). 

We  model  each  timing-dependent  concurrent  system  as  a  single  timed  automaton  (A,  6), 
where  A  is  a  composition  of  ordinary  I/O  automata  (possibly  with  some  output  actions 
hidden).*  We  also  model  problem  specifications,  including  timing  properties,  in  terms  of  timed 
automata. 

We  note  that  the  definition  we  use  for  timed  automata  may  not  be  sufficiently  general  to 
capture  all  interesting  systems  and  timing  requirements.  It  does  capture  many,  however;  we 
discuss  this  further  in  Section  6. 


3  Incorporating  Timing  Conditions  imo  1/0  Automata 

In  order  to  use  invariant  assertion  techniques  to  reason  about  timed  automata,  we  define  an 
ordinary  I/O  autom&ton  time{A,b)  corresponding  to  a  given  timed  automaton  (A,  6).  This 
new  automaton  has  the  timing  restrictions  imposed  by  6  on  A  built  into  its  transition  rules, 
based  on  predictions  about  when  the  next  event  from  each  set  of  actions  will  occur.  In  this 
section,  we  give  the  construction  of  time{A,b)  and  also  give  results  that  relate  the  executions 
and  behaviors  of  time{A,b)  to  the  timed  executions  and  timed  behaviors  of  (A,  6). 

The  close  relationships  between  (A,  6)  and  ttme(A,6)  suggest  the  possibility  of  avoiding 
the  timed  automaton  definition  entirely,  instead  using  the  ftme(A,b)  notion  as  the  starting 

*  As  equivslest  way  of  looking  at  each  •yatcm  is  as  a  composition  of  timed  automata.  An  appropriate  defini¬ 
tion  for  a  composition  of  timed  automata  is  developed  in  [37],  together  with  theorerus  showing  the  equivalence 
of  the  two  viewpoints. 
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point  for  our  work.  We  prefer  to  begin  with  the  timed  automaton  definition  because  we 
regard  that  definition  as  the  more  fundamental  of  the  two,  expressed  as  it  is  in  terms  of  a 
traditional  asynchronous  system  with  some  additional  timing  restrictions.  As  will  be  seen 
below,  the  time{A,b)  definition  introduces  special  constructs  (e.j.,  special  NULL  actions  and 
special  variables  such  zis  time),  which  axe  quite  useful  in  proofs,  but  which  do  not  seem  to  be 
fundamental  parts  of  system  descriptions.  Another  reason  we  prefer  to  begin  with  the  timed 
automaton  definition  is  that  it  has  already  been  used  elsewhere  ([27,  5]).  Moreover,  we  believe 
that  the  elegcint  relationship  between  the  two  expressed  by  Theorem  3.1  is  interesting  in  its 
own  right. 

3.1  Definition  of  time(A,b) 

Given  any  timed  automaton  (A,  6),  we  define  the  ordinary  I/O  automaton  t*me(A,  6).  Thf- 
automaton  time{A,b)  has  as  its  actions  ail  pairs  of  the  form  (x,t),  where  x  is  an  elemeui,  of 
acts(A)  U  {NULL}  and  t  is  a  nonnegative  real  number;  here  NULL  is  a  “nuU  action”  that 
represents  the  passage  of  time.  The  classification  of  actions  into  input,  output  and  internal 
actions  is  derived  from  that  for  A,  with  the  additional  stipulation  that  each  (NULL,t)  is  an 
internal  action.  (The  NULL  action  is  similar  to  the  unit  action,  1,  of  SCCS  [28]  and  to  the 
time-passage  actions  of  [25].)  Each  of  the  states  of  time{A,b)  consists  of  a  state,  baste,  of  A, 
augmented  with  a  variable  time,  and,  for  each  class  C  of  the  partition  of  A,  two  variables 
first{C)  and  laat{C).  The  value  of  the  time  variable  represents  the  time  of  the  last  preceding 
event.  The  values  of  the  firat{C)  and  last(C)  variables  represent,  respectively,  the  first  and 
last  times  at  which  an  event  in  class  C  is  permitted  to  occur. 

We  use  record  notation  to  denote  the  various  components  of  the  state  of  time{A,  b):  for 
instance,  s. basic  denotes  the  state  of  A  included  in  state  s  of  time{A,b).  Each  start  state  of 
time{A,b)  consists  of  a  start  state  s  of  A,  plus  time  =  0,  plus  values  of  Jirat{C)  and  last{C) 
with  the  following  property:  if  there  is  an  action  in  C  enabled  in  s,  then  3.first{C)  =  bi{C)  and 
s.last(C)  =  bu(C);  otherwise,  s.firat{C)  =  0  and  s.last{C)  —  oo.  That  is,  if  the  start  state  of  A 
has  an  action  in  C  enabled,  then  the  predicted  times  are  the  ones  "pecified  in  the  boundmap 
for  C;  otherwise,  they  are  set  to  default  values. 

If  (x,t)  is  an  action  of  time{A,b),  then  (s',(x,t),s)  is  defined  to  be  a  step  of  time{A,b) 
exactly  if  all  of  the  following  conditions  hold. 

1.  If  X  G  acts{A)  then: 

(a)  s'. time  =  t  =  s.time. 

(b)  (s'.basic,ir,s.basic)  €  ateps(A). 

(c)  For  each  C  G  part{A): 

i.  If  X  G  G  then  s'.first{C)  <  t. 

ii.  If  s. baste  G  enabled{A,C)  and  v  ^  C  and  s'. basic  G  enabled{A,C)  then 
s.firat{C)  =  3'.fir3t{C)  and  3,laai{C)  =  a'.laat{C). 
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iii.  If  s. basic  €  enabled{A,C)  and  either  ir  6  C  or  s'. basic  6  disabled{A,C)  then 
s.first{C)  =  t  +  bi(C)  and  and  s.last(C)  =  t  +  b^(C). 

iv.  If  s. basic  G  disabled{A,C),  then  s.first{C)  =  0  and  s.last{C)  =  oo. 

2.  If  IT  =  NULL  then 

(a)  s'. time  <  t  =  s.time. 

(b)  s.basic  =  s'. basic. 

(c)  t  <  s'.la3t{C),  for  each  C  G  part{A). 

(d)  s.first{C)  =  s'.first{C)  and  s.last{C)  =  ^.la3t{C),  for  each  C  G  part{A). 

The  meaning  of  these  conditions  is  as  follows.  Condition  1  describes  restrictions  for  the  case 
where  t  is  an  action  of  A.  Condition  1(a)  says  that  time  does  not  pass  during  the  performance 
of  non-null  actions,  and  Condition  1(b)  says  that  the  steps  associated  with  non-null  actions 
correctly  simulate  steps  of  A.  Condition  1(c)  describes  the  use  and  manipulation  of  the  first 
and  last  variables  during  non-nuU  steps.  Condition  l(c)i  says  that  a  locally  controlled  step  is 
only  permitted  to  occur  at  a  time  that  is  at  least  as  great  as  the  first  time  specified  for  that 
action’s  partition  class.  Condition  l(c)ii  says  that  an  action  not  in  a  particular  class  that  keeps 
the  class  enabled  does  not  alter  the  timing  predictions  for  that  class.  Condition  l(c)iii  says 
that  an  action  that  enables  a  particular  class  sets  the  timing  predictions  for  that  class  to  the 
values  specified  by  the  boundmap.  Finally,  Condition  l(c)iv  says  that  an  action  that  leaves  a 
particular  class  disabled  sets  the  timing  predictions  to  the  default  values. 

Similarly,  Condition  2  describes  restrictions  for  the  case  where  ir  is  the  special  null  action. 
Condition  2(a)  says  that  time  cannot  move  backwards  when  a  null  action  is  performed,  and 
Condition  2(b)  says  that  the  steps  associated  with  null  actions  do  not  cause  any  changes  to 
the  underlying  state  of  A.  Condition  2(c)  says  that  time  cannot  pass  beyond  the  latest  time 
specified  for  any  class,  and  Condition  2(d)  says  that  timing  predictions  are  unaltered  by  the 
passage  of  time. 

It  is  easy  to  check  that  for  any  reachable  state  of  time{A,  b)  and  any  class  C  of  the  partition, 
the  following  facts  are  true.  First,  it  must  be  the  case  that  s.laat{C)  >  s.time  (although  it 
is  possible  to  have  s.first{C)  <  s.time).  Second,  if  s.basic  G  enabled{A,C)  then  s.last  < 
s.time  -f  b^{C)  and  s. first  <  s.time  -f-  bi{C).  Third,  if  s.basic  G  disabled\A,  C)  then  both  the 
last{C)  and  first{C)  variables  have  their  default  values  (oo  and  0,  respectively). 

The  partition  classes  for  time{A,b)  are  derived  one-for-one  from  those  of  A,  with  the 
addition  of  a  single  new  class  for  all  the  {NULL,t)  actions.^  Note  that  a  similar  automaton 
was  defined  in  [5,  21];  it  differs  in  not  containing  special  “null”  actions. 

We  will  be  particularly  interested  in  a  subset  of  the  executions  of  time{A,b),  that  we  call 
the  “admissible  executions”.  Informally,  the  admissible  executions  are  those  in  which  time 
continues  to  pass  without  bound. 

’We  will  not  need  these  classes  in  this  paper,  however,  since  the  purpose  of  I/O  automaton  partition  classes 
is  to  enforce  fairness  to  the  components  of  the  system,  and  we  will  not  require  such  fairness  conditions. 
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Definition  3.1  An  execution  of  time[A,b)  is  said  to  be  admissible  provided  the  times  asso¬ 
ciated  with  the  NULL  events  in  the  execution  are  unbounded.  The  admissible  schedules  and 
admissible  behaviors  of  time{Ayb)  are  defined  to  be  the  schedules  and  behaviors,  respectively, 
of  admissible  executions  of  time{A,b). 

Note  that  any  admissible  execution  must  have  infinitely  many  NULL  events,  in  order  that 
the  associated  times  might  be  unbounded.  In  each  of  our  examples  in  this  paper,  we  will 
apply  the  time{A,  b)  construction  to  a  timed  automaton  A  modeling  the  entire  system  under 
consideration. 


3.2  Relationship  between  (A,  6)  and  time{A,  b) 

In  this  subsection,  we  relate  a  timed  automaton  (A,  6)  to  the  corresponding  I/O  automaton 
time{A,b)\  specifically,  we  prove  the  following  mmn  theorem.  Theorem  3.1,  which  relates  the 
timed  behaviors  of  (A,  6)  and  the  admissible  behaviors  of  time{A,  6).  (Note  that  both  behaviors 
are  sequences  of  pairs  of  the  form  (ir,t),  where  x  is  an  action  and  t  is  a  time.) 

Theorem  3.1  The  set  of  timed  behaviors  of  {A,  b)  is  the  same  as  the  set  of  admissible  behaviors 
of  time{A,b). 

This  theorem  implies  that  properties  of  timed  behaviors  of  a  timed  automaton  (A,  b)  can 
be  proved  by  proving  them  about  the  set  of  admissible  behaviors  of  the  corresponding  I/O 
automaton  time{A,  b).  The  latter  task  is  more  amenable  to  treatment  using  assertional  tech* 
niques. 

The  rest  of  this  subsection  is  devoted  to  proving  Theorem  3.1.  The  concepts  and  lemmas 
used  in  this  proof  are  not  needed  outside  of  the  proof,  so  the  reader  may  wish  to  skip  the  rest 
of  this  subsection  on  a  first  reading. 

First,  the  definition  of  a  timed  execution  contains  aspects  of  both  safety  and  liveness.  In 
the  proof,  it  is  useful  to  focus  first  on  the  safety  aspects  alone.  We  thus  define  the  notion  of  a 
“timed  semi-execution”  to  capture  the  safety  part  of  the  definition  of  a  timed  execution. 

Definition  3.2  Suppose  (A,  b)  is  a  timed  automaton.  Then  a  finite  timed  sequence  a  is  a 
timed  semi-execution  of  (A,  6)  provided  that  ord(a)  is  an  execution  of  A  and  a  satisfies  the 
following  conditions,  for  each  class  C  of  part{ A)  and  every  initial  index  i  for  C  in  a. 

1.  IfbJ^C)  <  00  then  either  endlime{a)  <.  !<+ or  there  exists  j  >  i  with  tj  <  ti+bu{C) 
such  that  either  Xj  ^  C  or  Sj  £  disabled{A,C). 

2.  There  does  not  exist  j  >  i  with  tj  <ti  +  bt(C)  and  Xj  in  C. 
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This  definition  is  identical  to  that  of  a  finite  timed  execution  (Definition  2.2),  except  for  the 
“either”  clause  in  the  first  item.  This  clause  allows  an  action  to  fail  to  occur  if  insufficient  time 
has  passed  by  the  end  of  the  execution.  (Recall  that  endtime(a)  refers  to  the  time  of  the  last 
event  in  a.)  We  prove  two  technical  lemmas  about  the  properties  of  timed  semi-executions. 
The  first  lemma  gives  a  condition  on  a  timed  semi-execution  that  ensures  that  it  is  a  timed 
execution. 

Lemma  S.2  Suppose  that  a  is  a  timed  semi-execution  of  a  timed  automaton  {A,b).  Then  a 
is  a  timed  execution  if  and  only  if  each  locally  controlled  action  of  A  that  is  enabled  in  state 
endstate{a)  is  in  a  partition  class  C  in  part{A)  such  that  b^{C)  =  oo. 

Proof:  Straightforward.  ■ 

The  second  lemma  says  that  the  limit  of  a  sequence  of  timed  semi-executions  in  which  the 
times  are  unbounded  must  be  a  timed  execution. 

Lemma  3.S  Let  ^  ^  sequence  of  timed  semi-executions  of{A,b)  such  that  the  follow¬ 

ing  conditions  hold. 

1.  For  any  i>  1,  cn  is  a  prefix  of  Oi+i. 

2.  liini_oo  endtime{ati)  =  oo. 

Then  the  limit  of  the  Oi  under  the  extension  ordering  is  a  timed  execution  of  {A,  6) 

Proof:  Straightforward.  ■ 

We  now  show  a  simple  correspondence  between  the  timed  semi-executions  of  (A,  b)  and  the 
finite  executions  of  time{A,  6).  We  require  an  auxiliary  definition.  Namely,  if  a  is  an  execution 
of  time^A,  b),  we  define  project{a)  to  be  the  timed  sequence  obtained  from  a  by  mapping  each 
occurrence  of  a  state  s  in  a  to  s. basic  while  keeping  the  (action, time)  pairs  intact,  and  then 
removing  any  NULL  events,  together  with  their  immediately  following  states. 

Lemma  S.4  Let  (.A,  b)  be  a  timed  automaton. 

1.  If  a'  is  a  timed  semi-execution  of  {A,  b),  then  there  exists  a  finite  execution  a  of  time{A,  b) 
such  that  a!  =  project{a). 

2.  If  a  is  a  finite  execution  of  time{A,b),  then  pToject{a)  is  a  timed  semi-execution  of{A,b). 
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Proof;  1.  Suppose  that  o'  is  a  timed  semi-execution  of  {A,b).  First  we  construct  a",  an 
alternating  sequence  of  states  of  A  and  actions  of  tiine(A,b)^  by  inserting  exactly  one 
NULL  event  before  the  first  event  in  o'  and  between  every  pair  of  events  in  o';  more 
precisely,  if  s  and  (jr,i)  occur  consecutively  in  o',  then  o"  replaces  this  pair  with  the 
sequence  3,{NULL,t),a,{‘K,t).  (The  reason  we  need  to  insert  the  NULL  events  is  that 
they  are  the  only  kinds  of  events  of  time(At  b)  that  allow  time  to  pass.) 

Now  we  modify  o"  to  obtain  o,  a  finite  sequence  of  alternating  states  and  actions  of 
time{A,b),  by  adding  time,  last  and  first  variables  to  all  the  states  in  o'.  We  do  this  in 
the  unique  way  that  guarantees  that  the  first  state  is  a  start  state  of  time{A,  b)  and  that 
Conditions  1(a),  l(c)ii-iv,  2(a)  and  2(d)  of  the  definition  of  time{A,b)  are  satisfied.  Then 
o'  =  project{a).  We  show  that  o  is  an  execution  of  time{A,  b)  by  showing  that  each  step 
of  o  satisfies  the  remaining  conditions  of  the  definition  of  time{A,  b). 

The  fact  that  o'  is  a  timed  semi-execution  of  (A,  b)  implies  Condition  1(b),  and  Condition 
2(b)  holds  by  construction.  Condition  1  of  Definition  3.2  ensures  Condition  2(c)  of  the 
definition  of  time{A,b),  while  Condition  2  of  Definition  3.2  ensures  Condition  l(c)i  of 
the  definition  of  time(A,  6). 

2.  Let  a'  =  project(a).  By  Conditions  1(b)  and  2(b)  of  the  definition  of  time(A,  b),  ord{a!) 
is  an  execution  of  the  ordinary  I/O  automaton  A.  It  remains  to  show  that  for  every  class 
C,  a'  satisfies  Conditions  1  and  2  of  Definition  3.2  for  C  (and  every  t  >  0). 

The  initialization  and  Condition  l(c)iii  of  the  definition  of  time{A,b)  imply  that  the 
correct  upper  bounds  are  assigned  to  the  last{C)  variable  whenever  C  becomes  enabled, 
and  Conditions  l(c)ii  and  2(d)  imply  that  those  bounds  do  not  change  until  an  action  in 
C  occurs  or  C  becomes  disabled.  Condition  2(c)  then  implies  that  the  upper  bounds  are 
respected,  which  impUes  Condition  1  of  Definition  3.2  for  C.  Similarly,  the  initialization 
and  Condition  l(c)iii  imply  that  the  correct  lower  bounds  are  assigned  to  the  first(C) 
variable  whenever  C  becomes  enabled,  and  Conditions  l(c)ii  and  2(d)  imply  that  those 
bounds  do  not  change  until  an  action  in  C  occurs  or  C  becomes  disabled.  Condition  l(c)i 
then  implies  that  the  lower  bound  is  respected,  which  implies  Condition  2  of  Definition 
3.2  for  C. 


Next,  we  show  a  correspondence  between  the  timed  executions  of  {A,b)  and  the  admissible 
executions  of  time{A,  b). 

Lemma  S.5  1.  If  a'  is  a  timed  execution  of  {A,  b),  then  there  exists  an  admissible  execution 

a  of  time{A,  b)  such  that  a'  =  project{a). 

2.  If  a  is  an  admissible  execution  of  time{A,  b),  then  project^a)  is  a  timed  execution  of 
{A,b). 
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Proof:  1.  Suppose  a'  is  a  timed  execution  of  (A,  6).  We  carry  out  a  similar  construction 

to  that  in  Part  1  of  Lemma  3.4,  except  that  if  a'  is  finite,  we  augment  a  with  an  infinite 
sufiix  of  NULL  actions,  associated  with  times  that  increase  without  bound.  The  argument 
is  similar  to  before;  the  main  difference  is  that  we  must  argue  that  that  Condition 
2(c)  of  the  definitions  of  time{A,b)  is  not  violated  by  the  trailing  NULL  events.  More 
specifically,  if  a'  is  finite,  then  since  it  is  a  timed  execution.  Lemma  3.2  implies  that 
each  locally  controlled  action  that  is  enabled  in  state  endstate{a')  is  in  a  partition  class 
C  with  6„(C)  =  00.  Then  the  definition  of  time{A,b)  implies  that  laat{C)  =  oo  for  all 
C  €  part(A),  in  all  states  of  a  just  prior  to  the  trailing  NULL  events.  This  implies  that 
the  trailing  NULL  events  cannot  cause  violations  of  2(c). 

2.  Suppose  that  a  =  3o)(^i>^i)}'Sif-  is  ^  admissible  execution  of  ttme(A,  6),  and  let 
q'  =  project(a).  Let  on  be  the  prefix  of  a  ending  with  and  let  a(  =  project{on),  for 
each  i  >  0.  Then  each  a<  is  a  prefix  of  and  a'  is  the  limit  of  the  a.'^  under  the 
extension  ordering.  Since  is  a  finite  execution  of  time{A,b),  Part  2  of  Lemma  3.4 
implies  that  a(  is  a  timed  semi-execution  of  (A,  b),  for  each  t  >  0.  We  consider  two  cases. 

First,  suppose  a'  is  infinite.  Then  a  does  not  have  a  suffix  consisting  entirely  of  NULL 
events.  Since  the  times  of  the  actions  in  a  are  unbounded,  and  a  does  not  have  a 
suffix  consisting  entirely  of  NULL  events,  it  follows  that  limt_oo  endtime^a^)  =  oo.  Then 
Lemma  3.3  implies  that  a'  is  a  timed  execution  of  (A,b). 

Second,  suppose  that  a!  is  finite.  Then  a  has  a  suffix  consisting  entirely  of  NULL  events, 
say  starting  after  3j,  for  some  fiixed  j,  and  a'  =  a'  .  As  argued  above,  a,  is  a  timed 
semi-execution  of  (A,  6),  so  a!  is  a  timed  semi-execution  of  (A,b).  Condition  2(c)  of  the 
ttme(  A,  b)  definition  and  the  fact  that  times  increase  without  bound  in  a  imply  that  each 
locally  controlled  action  of  A  that  is  enabled  in  state  Sj. basic  is  in  a  partition  class  C  in 
part{A)  such  that  6^(0')  =  oo.  Since  endstate{a')  =  Sj. basic,  Lemma  3.2  implies  that  a' 
is  a  timed  execution  of  (A,  6). 


Proof:  (of  Theorem  3.1)  Immediate  by  Lemma  3.5. 


4  Sufficient  Conditions  for  Inclusion  of  Timed  Behavior  Sets 

In  this  section,  we  describe  a  method  for  showing  that  the  tim'^d  behaviors  of  one  timed 
automaton,  (A,  b),  are  also  timed  behaviors  of  another  timed  automaton,  (A',  6').  This  method 
uses  the  construction  in  Section  3;  t.e.,  it  involves  showing  that  the  admissible  behaviors  of 
time{A,b)  are  also  admissible  behaviors  of  time(A', b').  As  we  describe  in  Subsection  4.1,  our 
basic  method  involves  mapping  states  of  time{A,b)  to  sets  of  states  of  time{A',b')  and  is  a 
special  case  of  the  possibilities  mapping  method  described  in  [23,  24]. 

In  the  examples  later  in  this  paper  (as  well  as  others  to  which  we  have  applied  this  mapping 
method),  the  mappings  that  are  constructed  are  expressible  in  a  particular  form:  in  terms 
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of  inequalities  involving  the  values  of  the  state  variables  of  the  time{A,  b)  and  time{A',  b') 
automata.  In  particulzir,  these  inequalities  assert  that  the  value  of  each  last{C)  variable  of 
time{A',  b')  is  at  least  as  great  as  a  certain  real-valued  “progress  function”  of  the  values  of  the 
state  variables  of  time{A,b),  and  also  that  the  value  of  each  first{C)  variable  of  time{A\b‘) 
is  no  greater  than  another  such  function.  These  functions  can  be  thought  of  as  measures 
of  progress  of  the  system  time{A,b)  toward  the  goals  of  producing  events  from  the  various 
partition  classes  C  of  ttme(  A',  b').  In  Subsection  4.2,  we  define  our  notion  of  progress  function 
and  show  how  they  can  be  used  to  generate  correct  mappings. 

Our  notion  of  progress  function  is  simil<ir  to  the  notion  of  progress  function  commonly  used 
to  prove  liveness  properties  of  sequential  and  asynchronous  concurrent  programs  (e.^.,  in  [26]); 
however,  our  notion  generalizes  the  usual  notion  in  that  ours  allows  real-valued  rather  than 
just  discrete  measures,  and  that  ours  applies  to  lower  bounds  as  well  as  upper  bounds. 


4.1  Strong  Possibilities  Mappings 

In  this  subsection,  we  define  the  notion  of  a  strong  possibilitiea  mapping  from  an  automaton 
of  the  form  time(A,b)  to  another  automaton  time(A' ,b').^  We  then  prove  our  basic  theorem 
about  strong  possibilities  mappings,  namely,  that  the  existence  of  such  a  mapping  implies  that 
the  timed  behaviors  of  (A,  b)  are  all  timed  behaviors  of  (A',  6'). 

Recall  from  Section  2.1  the  definition  of  an  extended  step  of  an  arbitrary  I/O  automaton. 

Definition  4.1  Let  (A,  6)  and  (A\b')  be  timed  automata  with  the  same  set  n  of  external 
actions.  Let  f  be  a  mapping  from  states  of  time{A,b)  to  sets  of  states  of  time{A',V).  The 
mapping  f  is  a  strong  possibilities  mapping  from  ttme(A,6)  to  time{A\b’)  provided  that  the 
following  conditions  hold: 

1.  For  every  start  state  s  of  iime{A,b),  there  is  a  start  state  u  of  time{A’,b')  such  that 
u  G  /(s). 

2.  If  s'  is  a  reachable  state  of  time{A,  b),  u'  G  f{s')  is  a  reachable  state  of  time{A',  V)  and 
{s',  (x,  t),  a)  w  a  step  of  time{A,  b),  then  there  is  an  extended  step  (u',  u)  of  time(A',  b'), 
such  that  u  G  /(a)  and  )9|(n  x  R)  =  (x,t)|{n  x  R).* 

3.  If  s  and  u  are  reachable  states  of  time{A,b)  and  time{A',b'),  resp&:tively,  and  u  G  f{s), 
then  u.time  =  s.time. 

*This  ia  a  itiengthened  Tendon  of  the  definition  of  “poeaibilitiet  mapinng”  in  [34],  where  the  atrengthening 
inTolvea  the  addition  of  the  third  condition.  The  term  "poaaibilities*  ia  naed  to  anggeat  the  different  poaaible 
atatea  in  an  image  set.  An  alternative  formulation  ia  ia  terma  of  relationa  rather  than  mappmga,  aa  ia  described 
in  [35]. 

*We  nae  the  notation  ft  in  this  paper  to  represent  the  nonnegative  real  numbers. 
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The  first  condition  in  the  mapping  definition  establishes  a  correspondence  between  start 
states  of  the  two  automata,  while  the  second  condition  establishes  a  correspondence  between 
steps  of  time{A,b)  and  extended  steps  (as  defined  in  Section  2.1)  of  time{A' ,b')\  this  corre¬ 
spondence  must  preserve  the  sequences  of  timed  external  events.  The  third  condition  simply 
asserts  that  the  current  times  of  corresponding  states  must  be  identical. 

The  following  key  lemma  says  that  the  existence  of  a  strong  possibilities  mapping  is  a 
sufficient  condition  for  the  inclusion  of  admissible  behaviors. 

Lemma  4.1  Suppose  that  there  is  a  strong  possibilities  mapping  from  time{A,  b)  to  time{A',  V). 
Then  any  admissible  behavior  of  time{A,b)  is  an  admissible  behavior  of  time{A',b'). 

Proof:  Let  be  an  admissible  behavior  of  time{A,b),  and  let  a  be  an  admissible  execution 
of  time{A,b)  whose  behavior  is  /3.  For  each  finite  prefix  of  a  that  ends  with  a  state,  it 
is  possible  to  construct  a  finite  execution,  a^,  of  time{A',b')  having  the  same  behavior  as 
a«  and  such  that  the  values  of  the  time  variables  of  the  final  states  of  both  executions  are 
identical.  Moreover,  it  is  possible  to  do  this  in  such  a  way  that  each  a\  is  a  prefix  of 
(The  construction  is  by  induction  on  t,  using  Conditions  1  and  2  of  Definition  4.1.)  Let  a'  be 
the  limit  of  the  a[\  then  a!  is  an  execution  of  ttme(i4',&'),  smd  the  behavior  of  a'  is  the  same 
as  the  behavior  of  a,  which  is  /3. 

Since  a  is  admissible,  the  values  of  the  time  variables  of  the  final  states  of  the  Oi  increase 
without  bound  as  i  approaches  infinity.  Since  the  values  of  the  time  variables  are  the  same  in 
the  final  states  of  and  a^,  the  values  of  the  time  variables  of  the  final  states  of  the  a^  also 
increase  without  bound  as  t  approaches  infinity.  It  follows  that  a'  is  an  admissible  execution 
of  time(A',b')  with  behavior  Thus,  is  an  admissible  behavior  of  time{A',V).  ■ 

Now  we  give  the  main  theorem  of  this  subsection,  which  expresses  the  basic  mapping 
technique  for  timed  automata. 

Theorem  4.2  Suppose  that  there  is  a  strong  possibilities  mapping  from  time{A,  b)  to  time{A',  b') 
Then  any  timed  behavior  of  (i4,  b)  is  a  timed  behavior  of  {A\  V). 

Proof:  Immediate  from  Lemma  4.1  and  Theorem  3.1.  ■ 

This  theorem  says  that  the  existence  of  a  strong  possibilities  mapping  is  sufficient  by  itself 
to  yield  the  desired  inclusion  result  for  timed  behaviors.  Since  the  timed  behaviors  of  a  timed 
automaton  embody  both  safety  and  liveness  restrictions,  it  follows  that  this  mapping  technique 
suffices  to  show  both  types  of  properties.  This  is  in  contrast  to  the  situation  for  non-timed 
systems,  where  analogous  mapping  techniques  only  yield  safety  properties.  (In  [1],  for  example, 
extra  machinery  in  the  form  of  a  “supplementary  property”  is  added  to  the  mapping  machinery 
in  order  to  allow  proofs  of  liveness  properties.) 
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Lynch  and  Vaandrager  [25]  generalize  our  Lemma  4.1  to  the  setting  of  a  more  general  and 
abstract  timed  automaton  model.  However,  there  is  no  corollary  analogous  to  our  Theorem 
4.2  in  that  paper;  also,  the  model  in  [25]  lacks  the  partition  class  structure  of  the  model  of  this 
paper,  which  is  needed  to  describe  the  progress  function  technique  we  describe  in  the  following 
subsection. 


4.2  Progress  f\inction  Collections 

In  this  subsection,  we  define  our  notion  of  progress  functions  and  show  how  they  can  be  used 
to  generate  strong  possibilities  mappings. 

The  progress  function  definition  is  presented  in  terms  of  a  pair  of  timed  automata,  (i4,  b)  and 
where  {A,b)  describes  the  system  under  study  and  {A\b')  describes  the  requirements 
to  be  satisfied.  The  underlying  automaton.  A',  of  (A',  6')  is  used  to  describe  correctness 
requirements  that  do  not  involve  time,  whereas  the  boundmap  b'  is  used  to  describe  timing 
requirements;  more  specifically,  b'  specifies  upper  and  lower  bounds  for  various  kinds  of  events 
to  occur,  where  each  "kind  of  event”  corresponds  to  a  partition  class  C  of  A'.  Thus,  for 
each  class  C,  the  definition  mentions  one  progress  function  gc  to  describe  progress  toward 
guaranteeing  the  upper  bound  requirement  ^ven  by  b!^{C),  and  another  progress  function  he 
to  describe  progress  toward  guaranteeing  the  lower  bound  requirement  given  by  V,{C).  Each  of 
these  progress  functions  is  a  function  from  the  state  of  automaton  time{A,  6]  to  S2U  oo.  Along 
with  the  functions  gc  and  hp,  the  definition  also  uses  another  function  /  that  describes  a 
correspondence  between  states  of  the  underlying  automata  A  and  A'.*  The  various  conditions 
in  the  definition  assert  that  the  function  /  is  a  correct  correspondence  between  states  of  A 
and  A',  and  that  the  functions  gc  and  kp  provide  correct  measures  of  progress  toward  their 
respective  goals. 

We  caution  the  reader  that  this  definition  is  somewhat  technical.  One  aspect  that  may 
seem  confusing  is  that  it  is  based  on  a  mixture  of  the  two  styles  of  definition,  <tme(A,  b)  versus 
(A',  6').  However,  note  that  the  mixture  is  completely  consistent,  always  using  the  time{A,b) 
definition  at  the  lower  level  and  the  (A', 5')  at  the  higher  level.  The  iime{A,b)  definition  is 
used  at  the  lower  level  because  the  progress  measures  are  naturally  defined  in  terms  of  states 
of  time(A,b)  (in  particular,  in  terms  of  the  values  of  the  first  and  last  variables).  On  the 
other  hand,  the  (A',  6')  definition  is  used  at  the  higher  level  because  it  permits  decomposition 
of  the  properties  that  need  to  be  shown  to  demonstrate  the  existence  of  a  strong  possibilities 
mapping  into  very  small  pieces. 

In  Section  5,  we  verify  timing  properties  for  two  examples  using  progress  functions.  We 
note  that  it  is  possible  to  avoid  the  progress  function  definition  entirdy,  and  verify  correctness 
and  timing  properties  for  our  examples  directly  from  Theorem  4.2.  (In  fact,  that  is  how  similar 
proofs  are  carried  out  in  the  preliminary  version  of  this  paper  [21].)  However,  examination 

*Tliia  function  could  alio  be  replaced  bx  *  mnlti-Talned  mapping,  but  thia  canaea  notational  complicationa 
we  thought  it  best  to  aroid. 
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of  our  proofs  based  on  Theorem  4.2  shows  that  they  all  use  the  notion  of  progress  function 
implicitly.  This  subsection  is  our  attempt  to  make  this  strategy  explicit. 


Definition  4.2  Let  {A,b)  and  {A\b')  be  timed  automata  with  the  same  set  11  of  external 
actions.  Let  f  be  a  mapping  from  states  of  time{A,b)  to  states  of  A'.  For  each  C  G  part{A'), 
let  gc  and  he  be  mappings  from  states  of  time{A,  b)  to  Su  oo.  Then  the  collection  of  mappings 
(/i(5c.^c)cepart{A'))  »»  <*  progress  function  collection  from  (^4,6)  to  {A',b')  provided  that  the 
following  conditions  hold; 

1.  If  s  is  a  start  state  of  time{A,  6)  and  v  =  /(s),  then  v  is  a  start  state  of  A'.  Moreover, 
for  each  C  G  part{A')  such  that  v  G  enabled(A*,C),  we  have  gc{s)  <  b[^{C)  and  hc{s)  > 
6i(C). 

2.  Suppose  s'  is  a  reachable  state  of  time{A,  h)  and  (s',  (x,  t),  s)isa  step  of  time{A,  b),  where 
It  ^  NULL.  Suppose  v'  =  /(s'),  v  =  /(s),  and  v'  is  a  reachable  state  of  A'.  Then  there 
is  an  execution  fragment  a  of  A'  beginning  and  ending  taith  v'  and  v  respectively,  such 
that: 

(a)  o|n  =  x|n. 

(b)  For  each  C  G  part{A'): 

i.  Ifb'i(C)  >  0  and  a  C  event  occurs  in  a,  then  there  is  only  one  C  event  in  a,  all 
states  occurring  in  a  prior  to  the  C  event  are  in  enabled{A',C)  and  t  >  hc(s'). 

it.  If  all  states  in  a  are  in  enabled{A',  C)  and  if  no  C  events  occur  in  a  then 
9ci»)  <  9c{i')  ond  hc{a)  >  hc{s'). 

Hi.  Ifv£  ertabled{A',C),  and  if  either  there  is  a  state  in  a  in  disabled(A' ,  C)  or  if 
a  C  event  occurs  in  a,  then  gc{s)  <  t  +  K{^)  hc{s)  >t  +  b't{C). 

3.  Suppose  s'  is  a  reachable  state  of  time{A, b)  and  (s',  (NULL,  t),  s)  is  a  step  of  time(A,  6). 
Suppose  v'  =  /(s'),  V  =  f(s),  and  i/  is  a  reachable  state  of  A' .  Then: 

(a)  v'  =  V. 

(b)  For  each  C  G  part(A'): 

i.  t  <  gc(3')- 

a.  gc(a)  <  9o(ai)  and  hc(s)  >  hc(s'). 

The  meaning  of  these  conditions  is  as  follows.  Condition  1  asserts  that  any  start  state  s 
of  time(A,  b)  corresponds  to  a  start  state  of  A'',  moreover,  the  value  for  each  progress  function 
in  state  s  is  defined  in  an  appropriate  way  to  enable  proof  of  the  desired  bound.  For  example, 
consider  the  upper  bound  requirement  for  class  C,  as  specified  by  the  boundmap  value  6(,(C). 
If  class  C  is  enabled  in  state  v  and  remains  enabled,  then  we  will  wish  to  prove  that  some 
action  in  C  will  occur  by  time  at  most  VJ(C).  In  order  to  use  the  progress  function  gc  as  a 
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progress  measure  to  prove  this  upper  bound,  we  require  that  the  initial  value  of  gc  should  be 
no  greater  thjui  the  bound  6J,(C')  to  be  proved. 

Condition  2  asserts  that  each  non-null  step  of  time{A,b)  has  a  corresponding  execution 
fragment  of  A'  satisfying  certain  properties.  Condition  2(a)  says  that  the  execution  fragment 
exhibits  the  same  external  behavior  as  the  given  step,  while  Condition  2(b)  says  that  the 
values  of  the  progress  function  are  handled  appropriately  to  enable  proof  of  the  desired  bounds. 
Condition  2(b)i  says  that  each  progress  function  he  does  in  fact  describe  a  lower  bound  on  the 
time  by  which  an  action  in  C  may  occur.  If  the  lower  bound  specified  by  the  boundmap  V  for 
C  is  0,  then  there  is  nothing  to  show  for  this  condition;  if  it  is  nonzero,  then  a  C  event  should 
only  occur  if  the  time  at  which  it  occurs  is  at  least  as  great  as  the  time  /ic(s').  However,  there 
is  a  technicality  that  arises  in  this  condition:  recall  that  the  lower  bound  requirement  for  C 
is  restarted  whenever  C  becomes  enabled  or  a  C  event  occurs.  This  means  that  a  violation 
of  the  lower  bound  requirement  given  by  6/(C)  could  occur  in  the  given  execution  fragment  if 
class  C  becomes  enabled  in  the  fragment  or  a  C7  event  occurs,  and  then  a  subsequent  event 
of  C  occurs;  even  though  the  time  for  this  C  event  is  at  least  hc(s'),  that  time  might  not 
be  sufficiently  great  to  satisfy  the  restarted  lower  bound  requirement.  In  order  to  cope  with 
this  troublesome  situation,  we  simply  rule  out  this  pattern  from  the  execution  fragments  we 
consider. 

Condition  2(b)ii  simply  says  that  the  progress  functions  are  miunt^ed  properly  when 
no  relevant  steps  occur;  for  example,  consider  the  upper  bound  requirement  for  class  C.  If 
no  events  in  C  occur  and  C  remains  enabled,  then  the  progress  function  used  as  a  progress 
measure  for  (7’s  upper  bound  may  decrease,  but  it  should  not  be  allowed  to  increase.  Finally, 
Condition  2(b)iii  says  that  the  progress  functions  are  restarted  properly  when  a  class  C  becomes 
enabled  or  when  an  event  in  C  occurs.  The  considerations  are  analogous  to  those  for  proper 
initialization. 

Condition  3  describes  what  must  happen  whan  a  null  step  of  time{A,  b)  occurs.  Condition 
3(a)  says  that  a  null  step  does  not  change  the  state  of  A'.  Condition  3(b)i  says  that  each 
progress  function  gc  does  in  fact  describe  an  upper  bound  on  the  time  by  which  an  action  in  C 
must  occ\ir.  That  is,  if  the  system  time{A,  6)  is  in  state  s',  then  it  is  not  permissible  for  time 
to  pass  beyond  time  gei^')  without  some  action  in  C  occurring.  Condition  3(b)ii  is  similar 
to  Condition  2(b)ii,  in  that  it  says  that  the  progress  functions  are  maintained  properly  when 
nothing  of  interest  occurs. 

We  now  show  how  progress  function  collections  can  be  used  to  generate  strong  possibilities 
mappings.  Let  (/,(pci^c)c€rart(x'))  ^  progress  function  collection  from  {A,b)  to  {A',V). 

Then  we  define  a  mapping  /  from  states  of  time{A,b)  to  sets  of  states  of  time{A',b')  by: 
u  e  /(a) iff 

1.  u.baaic  =  /(a), 

2.  u.time  =  s.Ume, 

3.  u.laai{C)  >  gc{*)  for  each  C  €  Tpart{A'),  and 
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4.  u.fir3t{C)  <  hc{s)  for  each  C  6  part{A'). 


The  next  lemma  shows  that  /  is  a  strong  possibilities  mapping. 

Lemma  4.3  Suppose  that  {A,b)  and  (A',  6')  are  timed  automata  with  the  same  set  of  extemcU 
actions,  and  suppose  that  {f,(gctf^c)c€parHA'))  <*  progress  function  collection  from  {A,b)  to 
{A',b').  Let  f  be  the  corresponding  mapping  defined  just  above.  Then  f  is  a  strong  possibilities 
mapping  from  time(A,b)  to  time(A',b'). 

Proof:  We  show  the  three  conditions  of  Definition  4.1.  Condition  3  is  immediate  by  defini¬ 
tion. 

For  Condition  1,  let  s  be  a  start  state  of  time(A,  b).  Then  Condition  1  of  Definition  4.2  yields 
a  start  state  v  of  A'  such  that  v  =  f{s)  and,  for  all  C7  6  pari{A'),  if  v  €  enabled{A',C)  then 
gci^)  <  attd  hc(s)  >  6J(C').  Define  u  to  be  the  (unique)  start  state  of  time{A',b')  having 
u.bcuic  =  V.  By  definition  of  the  start  states  of  time{A\  6'),  it  follows  that  u.time  =  0  =  s.time, 
u.last{C)  =  6J,(C)  if  V  e  enabled{A\C)  and  u.last(C)  =  oo  otherwise,  smd  u.first{C)  =  V/ijC) 
if  u  e  enabled{A',C)  and  u.first{C)  =  0  otherwise.  Then  we  have  u.basic  =  v  =  /(s), 
u.time  —  s.time,  and  u.last{C)  >  ga{»)  and  u.first{C)  <  hc{s)  for  all  C,  which  implies  that 
u  €  /(s),  as  needed. 

Now  we  show  Condition  2  of  Definition  4.1.  Let  II  be  the  common  set  of  external  actions  for 
{A,b)  and  (A',  6').  Suppose  that  s'  is  a  reachable  state  of  time{A,b),  u'  6  /(s')  is  a  reachable 
state  of  time{A',l/),  and  (s',(x,t),s)  is  a  step  of  time{A,b).  Since  tt'  e  /(s'),  it  follows  that 
u'. basic  =  /(s'),  u'.time  =  s'. time,  and  tt'.(ast(C)  >  gc{^)  and  u'.first{C)  <  hois')  for  all 
C  €  parti  A').  Also,  since  u'  is  a  reachable  state  of  ttme(A',fr'),  it  follows  that  u'. basic  is  a 
reachable  state  of  A'. 

We  consider  two  cases: 

1.  IT  ^  NULL. 

Then  Condition  2  of  Definition  4.2  yields  an  execution  fragment  a  of  A'  with  the  prop¬ 
erties  detailed  in  that  definition.  We  modify  a  to  obtain  an  execution  fragment  a'  of 
timeiA' ,V),  by  using  the  same  sequence  of  events  as  in  a,  associating  time  t  with  each 
event,  and  filling  in  the  values  of  the  time,  last  and  first  variables  as  determined  by  the 
definition  of  timeiA',  V). 

In  order  to  show  that  the  resulting  a'  is  an  execution  fragment  of  timeiA',  b'),  we  must 
argue  that  the  designated  times  of  events  are  within  the  bounds  allowed  by  the  definition 
of  timeiA',  V).  The  only  interesting  condition  to  show  is  Condition  l(c)i  of  the  definition 
of  timeiA',  b'),  for  a  class  C  that  has  &/((7)  >  0:  we  must  show  that  if  any  action  in  such 
a  class  C  occurs  in  o',  then  u".firstiC)  <  t,  where  u"  is  the  state  of  timeiA',  b')  just  prior 
to  that  C  event.  By  Condition  2(b)i  of  Definition  4.2,  there  is  only  one  C  event  in  a, 
and  all  states  in  a  prior  to  the  given  C  event  are  in  enabUdiA',  C);  by  the  definition  of 
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time{A' ,b'),  this  implies  that  u".firsi{C)  =  u'.fir3t{C).  Condition  2(b)i  of  Definition  4.2 
also  implies  that  t  >  hc(3'y,  since  v! .firat{C)  <  hc{s'),  this  implies  that  u' .first{C)  <  t, 
so  that  u".firat[C)  <  t,  as  needed. 

Now  we  define  the  extended  step  (u',/?,tt)  of  time{A',  b')  that  arises  from  a';  that  is,  u  is 
the  last  state  in  a'  and  is  the  schedule  of  a'.  We  show  that  this  extended  step  satisfies 
the  conditions  required  in  Definition  4.1.  First,  we  must  show  that  u  6  that  is,  that 
u.baaic  =  /(s),  u.time  =  a.time,  and  that  u.laat{C)  >  ffc(^)  and  u.firat(C)  <  hc(s)  for 
all  C.  But  u.baaic  =  f{a)  by  the  definition  of  a,  and  u.time  =  t  =  a.time,  showing  the 
first  two  of  these  conditions.  To  see  that  u.laat{C)  >  gci»),  note  that  u'.laat{C)  >  gc{»') 
since  u'  €  /(V);  Conditions  2(b)ii  and  2(b)iii  of  Definition  4.2  and  the  definition  of 
time(A,b)  then  imply  the  needed  inequality.  A  similar  argument  holds  for  the  lower 
bound  condition. 

Also,  since  a|n  =  ir|n,  it  follows  that  /9|n  x  =  (T,t)|n  x  9^.  Thus,  Condition  2  of 
Definition  4.1  is  satisfied. 

2.  x  =  NULL. 

Define  state  u  of  time{A\V)  to  be  the  same  as  state  u' ,  except  that  u.time  =  t.  We 
claim  that  (u',(NULL,t),u)  is  the  required  extended  step  of  time(A\b'). 

First,  we  argue  that  (u',  (NULL,  t),  u)  is  a  step  of  ttme(  A',  6').  By  definition  of  ttme(A',  N), 
the  only  interesting  condition  to  check  is  that  t  <  u\laat(C)  for  all  (7  6  part(A’). 
So  fix  C  €  part(A').  Condition  3(b)i  of  Definition  4.2  implies  that  t  <  gc(^)l  “nc® 
u'.laat(C)  >  go(*'),  we  have  t  <  u\laat(C),  as  needed. 

Now  we  check  the  remaining  requirements  for  Condition  2  of  Definition  4.1.  The  cor¬ 
respondence  between  external  action  sequences  is  easy  to  see.  We  argue  that  u  G  /(a). 
Since  u.baaic  =  u'.baaic,  f(a)  =  /(s')  (by  Condition  3(a)  of  Definition  4.2),  and  u'. basic  = 
/(s'),  it  follows  that  u.baaic  =  f(a).  Also,  u.time  =  t  =  a.time.  Let  C  G  port(A').  Then 
u.la3t(C)  =  u'.laat(C)  >  sro(s')>  “id  9c(»')  >  5c(s)  by  Condition  3(b)ii  of  Definition 
4.2.  Therefore,  u.laat(C)  >  gc(^).  A  similar  argument  shows  that  u.fir8t(C)  <  hc(s). 
Therefore,  Condition  2  of  Definition  4.1  holds,  as  needed. 


Now  we  give  the  main  theorem  about  progress  function  collections,  saying  that  thrir  exis¬ 
tence  implies  timed  behavior  inclusion. 

Theorem  4.4  Suppose  that  (A,  b)  and  (A',  V)  are  timed  automata  mth  the  same  set  of  external 
actions.  If  there  exists  a  progress  function  collection  from  (A,  b)  to  (A',  V),  then  every  timed 
behavior  of  (A,  6)  is  a  timed  behavior  of  (A',  b'). 

Proof:  By  Lemma  4.3  and  Theorem  4.2.  ■ 
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5  Examples 


In  this  section,  we  present  two  examples  for  which  we  prove  time  upper  and  lower  bounds 
using  our  mapping  techniques,  (in  particular,  using  progress  function  collections). 


5.1  Resource  Manager 

Our  first  example  is  a  simple  resource-granting  system  adapted  from  an  algorithm  in  [5].  The 
system  consists  of  two  components,  a  clock  and  a  manager.  The  clock  ticks  at  an  approximately- 
predictable  rate,  and  the  manager  counts  ticks  in  order  to  decide  when  to  grant  a  resource. 
We  wish  to  analyze  the  time  until  the  first  grant,  and  the  time  between  each  successive  pmr 
of  grants. 

We  describe  the  algorithm  and  its  timing  assumptions  as  a  timed  automaton  (.^,6).  The 
required  timing  behavior  is  presented  as  a  timed  automaton  (A',  b')\  we  prove  that  the  algorithm 
satisfies  the  requirements  by  exhibiting  a  progress  function  collection  from  (A,  6)  to  (A',  6'). 


5.1.1  The  Algorithm 

The  algorithm  consists  of  two  components,  a  clock  and  a  manager.  The  clock  has  only  one 
action,  the  output  TICK,  which  is  always  enabled,  and  has  no  effect  on  the  clock’s  state.  It 
can  be  described  as  the  particular  one-state  I/O  automaton  with  the  following  steps.* 

TICK 

Precondition: 

true 

Effect: 

none 


The  partition  contains  a  single  class,  which  cont^s  the  single  output  event  TICK.  For 
convenience,  we  overload  the  notation  and  designate  this  singleton  class  as  TICK  also. 

The  manager  can  be  described  as  another  I/O  automaton,  this  one  having  one  input  action, 
TICK  and  one  output  action,  GRANT.  The  manager  waits  a  particular  number  k  >  0  of  clock 
ticks  before  issuing  each  GRANT,  counting  firom  the  beginning  or  from  the  last  preceding 
GRANT.  The  manager’s  state  has  one  variable:  timer,  holding  an  integer,  initially  k. 

The  manager’s  algorithm  is  as  follows: 

*ln  the  notmtion  we  use  foi  automats,  a  leparate  deacription  is  given  foi  the  steps  involving  each  action. 
Instead  of  listing  the  steps,  we  provide  a  *preconditioa”  which  describes  the  set  of  states  in  which  the  action 
is  enabled,  and  an  "effect”  which  describes  the  changes  caused  bj  the  action.  Input  actions  do  not  have  a 
precondition,  because  they  are  always  enabled. 
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TICK 

Effect: 

timer  :=  timer  -1 

GRANT 

Precondition: 

timer  <  0 

Effect: 

timer  :=  k 

Thus,  in  the  situation  we  are  modeling,  when  the  GRANT  action’s  precondition  becomes 
satisfied,  the  action  does  not  occur  instantly  -  the  action  waits  until  the  automaton’s  next  local 
step  occurs.  The  partition  has  a  single  class,  containing  the  single  output  action  GRANT-,  we 
call  this  class  GRANT  as  well.  Fix  A  to  be  the  I/O  automaton  which  is  the  composition  of  the 
clock  and  manager  automata,  with  the  TICK  output  action  hidden  (using  the  I/O  automaton 
hiding  operator  to  convert  it  to  an  internal  action);  thus,  the  only  external  action  of  A  is  the 
output  action  GRANT. 

The  boundmap  b  associates  the  lower  bound  Ci  and  upper  bound  Cj  with  the  class  TICK, 
where  0  <  c^  <  Cj  <  oo;  this  means  that  the  times  between  successive  TICK  events,  and  the 
time  of  the  first  TICK  event,  are  in  the  interval  [ci,ca].  The  boundmap  b  also  associates  the 
lower  bound  0  and  upper  bound  {  with  the  class  GRANT,  where  0  <  f  <  oo;  which  means  that 
the  times  between  successive  chances  for  the  manager  to  take  a  step,  and  the  time  of  the  first 
such  chance,  are  in  the  interval  [0,1].  We  assume  that  ci  >  1."'  We  wish  to  chow  that  all  the 
timed  behaviors  of  (>4, 6)  satisfy  certain  upper  and  lower  bounds  on  the  time  up  to  the  first 
GRANT  and  the  time  between  consecutive  pws  of  GRANT  events. 

We  begin  our  analysis  by  stating  some  useful  mvaiiant  properties  of  the  algorithm.  In  order 
to  do  this,  we  need  timing  information  to  be  included  in  the  state,  so  we  consider  the  automaton 
time{A,b),  constructed  as  described  in  Section  3.  Note  that  in  this  case,  the  automaton 
time{A,b)  has  the  following  variables:  basic,  time,  first{TICK),  Uut{TICK),  first(GRANT), 
aL.l  last{GRANT).  The  next  lemma  states  invariant  properties  of  the  automaton  time{A,b). 
Notice  that  the  second  property  involves  the  time  prediction  variables. 

We  again  use  record  notation  to  designate  state  components,  e.g.,  we  use  s.Hmer  to  denote 
the  value  of  the  timer  component  of  s.basic. 

Lemma  5.1  The  following  are  true  about  any  reachable  state  s  of  time{A,b). 

1.  s.timer  >  0. 

2.  If  s.timer  =  0  then  s.first{TICK)  >  s.last{GRANT)  +  Ci  —  1. 

^Tliis  sMumption  is  needed,  for  eumple,  for  Lenunn  K.l.  Other  aaramptions  could  be  naed,  but  they  wonld 
lead  to  alightlj  diiTereat  bonads. 
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Proof:  By  induction  on  the  length  of  an  execution  leading  to  s.  If  the  length  is  0,  then 
a.timer  =  A;  >  0,  so  the  conditions  are  easily  seen  to  be  true.  So  suppose  that  (s',(?r,t),3)  is 
a  step  of  time{A,b),  where  s'  is  reachable  in  n  steps  and  the  conditions  are  true  for  s'.  We 
consider  cases. 

1.  ir  =  GRANT. 

Then  the  effect  of  the  GRANT  action  implies  that  s.timer  =  h  >  0,  which  implies  both 
conditions. 

2.  T  =  TICK. 

Suppose  that  s.timer  <  0.  Then  s'. timer  =  0,  by  the  effect  of  the  step  and  the  inductive 
hypothesis.  The  inductive  hypothesis  also  implies  that  s' .first{TICK)  >  s' .last(GRANT)+ 
Cl  -1.  Since  Ci  >  /  (by  assumption),  this  implies  that  s' .first{TICK)  >  s' .last{GRANT). 
Since  s'  .la3t{GRANT)  >  s'  .time  =  t,  it  follows  that  s'  .first{TICK)  >  t.  But  then  the 
defnition  of  time{A,b)  implies  that  TICK  is  not  enabled  in  s',  a  contradiction.  Thus, 
s.timer  >  0,  showing  the  first  condition. 

Now,  s.firat{TICK)  =  t+ci  and  s.last(GRANT)  <  t+l.  This  implies  that  s.first{TICK)  > 
s.last{GRANT)  +  Ci-  I,  showing  the  second  condition. 

3.  X  =  NULL. 

Then  all  of  the  terms  involved  in  the  two  conditions  are  the  same  in  s'  and  s,  so  the 
conditions  are  preserved. 

■ 

5.1.2  The  Requirements  Automaton 

We  show  the  following,  for  any  timed  behavior  j3  of  {A,  b): 

1.  There  are  infinitely  many  GRANT  events  in  /?. 

2.  If  t  is  the  time  of  the  first  GRANT  event  in  P,  then  k  •  ci  -  I  <  t  <  k  •  C2  +  1. 

3.  If  ti  and  tj  are  the  times  of  any  two  consecutive  GRANT  events  in  p,  then 

k  •  Cl  -  I  <  t2  -  tl  <  k  •  C2  +  1. 

We  let  P  denote  the  set  of  sequences  of  (action,  time)  pairs,  where  the  only  action  is  GRANT, 
satisfying  the  above  three  conditions. 

We  specify  P  in  terms  of  another  timed  automaton,  (A',  6').  Define  A'  to  have  a  single 
state  and  a  single  GRANT  output  action  enabled  in  that  state,  and  define  the  boundmap  b'  to 
assign  to  the  unique  class  of  A'  the  lower  and  upper  bounds  k-Ci-l  and  k-C2  +  l,  respectively. 

Note  that  the  timed  behaviors  of  (A',  6')  are  exactly  the  sequences  in  P. 
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6.1.3  The  Proof 


In  this  subsection,  we  give  a  progress  function  collection  from  {A,  b)  to  (A',  b'),  thereby  show¬ 
ing  that  all  timed  behaviors  of  (.4,6)  are  also  timed  behaviors  of  (4',  6').  This  fact  yields 
Theorem  5.3,  which  says  that  all  timed  behaviors  of  (4,6)  are  in  P. 

The  mapping  is  defined  by  means  of  a  progress  function  collection,  (/i^oaawti^oaxjvt)* 
where  f{s.basic)  is  the  unique  state  of  A',  for  all  a,  and 


goRAHri^) 

and 


{ 

{ 


s.laat{TICK)  f  (s.timer  -  l)c3  -|- 1  if  s.timer  >  0, 
s.lastlGRANT)  otherwise, 


s.firat{TICK)  +  {a.timer  ■  l)ci 
s.time 


if  s.timer  >  0, 
otherwise. 


The  progress  functions  give  explicit  upper  and  lower  bounds  for  the  time  of  the  next 
GRANT  event,  in  terms  of  the  values  of  the  variables  in  the  state  of  ttme(4,6).  For  instance, 
if  s.timer  >  0,  a  TICK  event  must  happen  within  time  s.last(TICK),  and  then  after  s.timer  ~1 
additional  ticks,  each  happening  after  at  most  Cj  time,  timer  will  become  0,  thus  enabling  the 
GRANT,  which  will  happen  within  time  at  most  1. 

Since  there  is  only  one  class  in  the  partition  of  4',  we  drop  the  subscript  GRANT  on  the 
progress  functions  for  the  rest  of  this  example,  writing  simply  g  and  h  in  place  of  gaaANT 
Rorant- 

Lemma  5.2  The  triple  {f,g,h)  is  a  progress  function  collection  from  (4,6)  to  {A\V). 

Proof:  Let  s  be  the  unique  start  state  of  ttme(4,6).  Then  s.timer  =  k>  0,  s.last{TICK)  = 
C3  and  s.first{TICK)  =  ci,  so  that 

p(s)  =  s.last{TICK)  -I-  (s.timer  -  l)cj  +  1  =  k-ct  +  l 

and 

h{s)  =  s.first(TICK)  +  (s.timer  -  l)ci  =  k  •  Ci  >  k  ■  Ci  -  1. 

Let  V  =  f(s. basic).  Then  v  is  the  unique  start  state  of  A'.  Also, 

li(GRANT)  =  ife .  ca  -I-  /  =  g(s) 
and 

bi(GRANT)  =  k  ci-l<  h(s). 

This  shows  Condition  1  of  Definition  4.2. 

Now  we  show  Condition  2.  Suppose  that  s'  is  a  reachable  state  of  tinie(4, 6)  and  (s',  (x*,  f),  s) 
is  a  step  of  time(4,6),  where  x  is  nonnull.  Let  v  denote  the  unique  state  of  4'.  We  consider 
cases. 
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1.  IT  =  GRANT. 


Then  s'. timer  <  0  and  s.timer  =  fc  >  0,  by  the  precondition  and  effect  of  GRANT  in 
A;  thus,  s'. timer  =  0  by  Lemma  5.1.  Lemma  5.1  also  implies  that  s' .first(TICK)  > 
s'.last{GRANT)  +  Ci  -  1. 

Let  a  be  the  execution  fragment  (v,  GRANT,  v)  of  A'.  Then  Condition  2(a)  of  Defini¬ 
tion  4.2  is  immediate.  For  Condition  2(b)i,  the  enabling  and  uniqueness  conditions  are 
immediate;  moreover, 


t  =  s'. time  by  definition  of  time{A,  b), 

=  h{s')  since  s'. timer  =  0, 

as  needed. 

Condition  2(b)ii  is  vacuously  true,  since  a  GRANT  event  occurs  in  a.  For  Condition 
2(b)iii,  we  must  show  that  g(s)  <t  +  5(,(GJL4.WT)  and  h{s)  >  t  -I-  V^{GRANT).  For  the 
upper  bound,  we  have  that  s.Uut{TICK)  <  t-i-Cj,  by  definition  of  time{A,b).  Therefore, 

g(s)  =  s.Uut{TICK)  +  (k—  l)ca  -|- 1  since  s.timer  =  k  >  0, 

<  i  +  k‘Ca-hl, 

=  t  +  b;,(GRANT), 


as  needed. 

For  the  lower  bound,  we  have  that  s.first{TICK)  =  s' .fir8t{TICK)  and  s' .last{GRANT)  > 
t,  by  definition  of  time{A,  b).  Therefore, 

h{s)  =  s.first^TICK)  -I-  (A  —  l)ci,  since  s.timer  >  0, 

=  s'.firsti TICK)  +  (k-  l)ci, 

>  s'. (ast( GJIA JVT) -i- fc  *  Cl  —  1  by  Lemma  5.1, 

>  t  +  fc  •  Cl  -  i, 

=  t  +  b't{GRANT), 


as  needed. 

2.  IT  =  TICK. 

Then  s.timer  =  s'. timer  ~  1.  Let  a  be  the  trivial  execution  fragment  v  of  A'.  Once 
again.  Conditions  2(a)  of  Definition  4.2  is  immediate.  Conditions  2(b)i  and  2(b)iii  are 
vacuously  true.  For  Condition  2(b)ii,  we  must  show  that  g{s)  <  g{s')  and  h{s)  >  fc(s'). 
There  are  two  cases. 

(a)  s.timer  >  0. 
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For  the  upper  bound,  we  have  that  s.last(TICK)  =  t  +  cj  and  t  <  s'.Uut(TICK), 
by  definition  of  time{A,b)\  therefore,  3.last{TICK)  <  s' .laat{TICK)  +  Cj.  Thus, 

g{s)  =  s.la3t{TICK)  +  {s.timer  -  l)cj  + 1, 

=  s.last^TICK)  +  {s', timer  —  2)c2  +  I  since  s.timer  =  s'. timer  —  1, 

<  s'.last{ TICK)  +  {s'. timer  -  l)ca  +  I, 

=  3{s'), 

as  needed. 

For  the  lower  bound,  we  have  that  s.first{TICK)  =  f +  ci  and  sf  .first{TICK)  <  t  by 
the  definition  of  time{A,b);  ther^ore,  s.first{TICK)  >  s'.first{TICK)  +  Ci.  Thus, 

h{s)  =  s.firat{TICK)  +  {s.timer  -  l)ci, 

>  s' .first{TICK)  +  Cl  +  {s.Umer  -  l)ci, 

=  s' .first{TICK)  +  {s'. timer  —  l)ci  since  s.timer  =  s'. timer  —  1, 

=  M-'). 

as  needed. 

(b)  s.timer  —  0. 

Then  sf. timer  =  1.  For  the  upper  bound,  we  have  that  s.last{GRANT)  <  t  +  I 
and  t  <  s'.last{TICK),  so  that  s.laat{GRANT)  <  sf  .la8t{TICK)  +  I,  by  definition 
of  time{A,b).  Therefore, 

ff(a)  =  s.last{GRANT), 

<  3'.la8t{TICK)  +  l, 

=  9{s% 

as  needed. 

For  the  lower  bound,  we  have  that  s.time  =  t  and  s' .first{TICK)  <  t,  so  that 
s.time  >  sf  .first{TICK).  Therefore, 

h{s)  =  s.ttme, 

>  s'.first{'nCK), 

= 

as  needed. 


Now  consider  a  step  (s',  {NULL,  t),  s)  of  time{A,  b),  where  s'  is  a  reachable  state  of  b). 

Condition  3(a)  of  Definition  4.2  is  immediate.  Now, 


M  = 


1 


s'. fost(TICif)  +  (s'. timer  -  l)ca  + 1  if  s'. timer  >  0, 
s' .last{GRANT)  otherwise. 
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Therefore,  ff(s')  >  min(s'.Iast(TICK),s\last(GRANT)).  By  the  definition  of  ttme(A,b),  it 
must  be  that  t  <  Iast(TJCK),j'./ast(GRANT));  thus,  t  <  ff(s'),  which  shows  Condition 

3(b)i  of  Definition  4.2.  For  Condition  3(b)ii,  we  must  show  that  ^(s)  <  g(s')  and  h(s)  >  h(s')- 
But  since  only  the  value  of  time  is  different  in  s  and  s',  and  s.time  >  s'.time,  these  inequalities 
follow  immediately  from  the  definitions  of  the  progress  functions  g  and  h.  m 


Now  we  can  put  the  pieces  together. 

Theorem  5.S  All  timed  behaviors  of{Afb)  are  in  P. 

Proof:  Lemma  5.2  yields  a  progress  function  collection  from  {A,b)  to  (A',  6').  Thus,  by 
Theorem  4.4,  any  timed  behavior  0  of  (A,b)  is  a  timed  behavior  of  (A',b').  This  implies  that 
j9€P.  ■ 


5.1.4  Discussion 

The  bounds  that  we  have  proved  above  are  nearly  tight,  Specifically,  it  is  possible  to  produce 
four  timed  executions  of  (A,  6)  that  exhibit  the  following  types  of  behavior; 

1.  The  time  until  the  first  GRANT  is  exactly  k  •  Ci. 

2.  The  time  until  the  first  GRANT  is  exactly  ib  •  Ca  +  L 

3.  The  time  between  the  first  and  second  GRANT  events  is  exactly  k'Ci  —  1. 

4.  The  time  between  the  first  and  second  GRANT  events  is  exactly  ib  •  cj  +  1. 

The  only  discrepancy  between  these  bounds  and  those  proved  above  is  a  difference  of  /  in  the 
lower  bound  for  the  first  GRANT. 

For  example,  the  first  bound  is  realized  by  the  timed  execution  of  (A,  5)  that  has  the 
following  timed  schedule: 

(TICK, Cl),  (TICK, 2 .  Cl), . . . ,  (TICK,  ib  •  Ci),  {GRANT,  k  •  Ci). 

The  second  bound  is  realized  by  the  timed  execution  that  has  the  following  timed  schedule: 

( TICK,  cj),  ( TICK,  2 .  ca) . (TICK,  ib  •  c,),  (GKANT,  k-c,  + 1). 

The  third  bound  is  realized  by: 

(TICK,  Cl),  (TICK,  2  •  Cl), . . . ,  (TICK,  ib  •  cj,  {GRANT,  kc^  +  l) 
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{TICK,  (*+!)•  Cl),  {TICK,  (fc  +  2)  •  d), . . . ,  {TICK,  2k  ■  Ci),  {GRANT,  2k  •  Ci). 

Finally,  the  fourth  bound  is  realized  by: 

{TICK,  ca),  {TICK,  2  •  cj), .  ..,{TICK,  k  ■  c,),  {GRANT,  k  ■  Cj) 

{TICK,  {k+l)‘  C2),{TICK, {k  +  2)-  Cj), ....  {TICK, 2k  •  cj), {GRANT, 2/b  •  Ca  +  /). 

Note  that  it  is  possible  to  modify  our  proof  to  give  the  tight  lower  bound  of  A;  •  ci  for  the 
first  GRANT]  the  idea  is  to  split  the  requirements  to  be  proved  so  they  are  expressed  by  two 
separate  partition  classes  in  {A\  V),  one  for  the  first  GRANT  and  one  for  the  time  between 
pairs  of  GRANT  events.  The  two  classes  will  have  different  lower  bounds.  There  is  a  slight 
technical  difficulty  in  that  the  algorithm  {A,  6)  would  have  to  be  modified  slightly  in  order  to 
distingmsh  the  first  GRANT  event  from  successive  GRANT  events,  but  there  is  no  problem 
in  principle. 

Note  that  our  resource  manager  is  much  simpler  than  the  usual  examples  of  resource- 
granting  systems;  in  particular,  there  is  no  request  input  that  triggers  the  GRANT  output. 
We  do  not  think  that  adding  such  structure  would  increase  the  conceptual  difficulty  of  the 
example  or  expose  any  interesting  property  of  the  methodology  we  suggest  here;  however,  it 
would  make  the  analysis  somewhat  longer. 

5.2  Two-Process  Race  System 

We  consider  a  system  composed  of  two  processes,  X  and  Y.  Process  X  increments  a  counter 
until  process  Y  modifies  a  flag,  and  then  decrements  the  counter.  When  the  counter  reaches 
0,  process  X  announces  that  it  is  done.  We  are  interested  in  upper  and  lower  bounds  on  the 
time  until  a  “done”  announcement  occurs.  An  interesting  aspect  of  this  example  is  the  fact 
that  the  worst-case  time  is  not  attained  in  the  case  where  the  processes  both  continually  take 
steps  at  their  slowest  possible  rates.  Rather,  it  is  attained  when  process  Y  takes  steps  at  its 
slowest  possible  rate,  while  process  X  takes  steps  at  its  fastest  rate  until  the  flag  is  set,  and 
then  takes  steps  at  its  slowest  rate  until  the  counter  reaches  0. 

As  in  the  previous  example,  we  describe  the  algorithm  and  its  timing  assumptions  as  a  timed 
automaton  {A,b),  and  the  required  timing  behavior  as  another  timed  automaton  (A',^),  and 
produce  a  progress  function  collection  from  {A,  b)  to  {A',  ft'). 

5.2.1  The  Algorithm 

The  system  is  described  as  a  sing^  timed  automaton  (A,  6)  containing  two  classes  representing 
the  two  processes  X  and  Y.  Automaton  A  has  state  variables  x,  y  and  done,  where  x  and  y  are 
integers,  initially  0,  and  done  is  a  Boolean,  initially  false.  There  are  one  output  action,  DONE, 
three  internal  actions,  SET,  INC  and  DEC,  and  no  input  actions.  The  partition  classes  are 


27 


^  —  \,IffCl,DEC,DONEy  and  Y  —  {SJST}.  Intuitively,  there  are  two  sequential  processes 
(using  shared  memory),  one  of  which  performs  the  SET  action  and  one  of  which  performs  the 
other  three  actions.  The  transitions  are  as  follows. 

SET 

Precondition: 
y  =  0 

Effect: 

y:=l 


INC 

Precondition: 

y  =  0 

Effect: 

®  :=  ®  +  1 


DEC 

Precondition: 

y  =  i 

x>Q 

Effect: 

I  :=  X  -  1 

DONE 
Precondition: 
y  =  i 

X  =  0 

done  =  false 

Effect: 

done  :=  true 


The  boundmap  b  for  A  assigns  the  lower  bound  li  and  the  upper  bound  ta,  where  0  <li< 
la  <  00,  with  each  of  the  two  partition  classes,  indicating  that  the  time  between  successive 
steps  of  each  of  the  two  processes  is  in  the  interval  [li,  la]-  We  are  interested  in  determining 
the  maximum  and  minimum  times  taken  by  the  timed  a  utomaton  (4,6)  from  the  bepnning 
until  the  DONE  action  occurs. 


6.2.2  The  Requirements  Automaton 

We  will  show  that  any  timed  behavior  /3  of  (A,  6)  contains  exactly  one  DONE  event,  occurring 
at  a  time  in  the  interval,  [li,  (2  +  l,j^J)l3].  The  intuition  for  the  lower  bound  should  be  clear: 
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this  is  the  earliest  time  at  which  the  flag  can  be  set,  and  hence  the  earliest  at  which  the  DONE 
event  can  occur.  The  intuition  for  the  upper  bound  is  a  little  more  complex:  if  process  Y  sets 
the  flag  at  the  latest  possible  time  /j,  then  there  is  time  for  process  X  to  take  approximately 
steps  before  the  flag  is  set,  if  X  takes  steps  as  quickly  as  possible.  This  will  cause  the  counter 
to  be  set  to  approximately  If  X  then  decrements  the  counter  as  slowly  as  possible,  with 
time  I3  between  successive  steps,  then  the  total  time  to  decrement  is  approximately  )f3-  The 
precise  bound  involves  some  roundoffs  and  additive  constants,  and  is  obt^ed  using  some  trial 
and  error. 

Let  P  denote  the  set  of  sequences  of  (action,time)  pairs,  where  the  only  action  is  DONE, 
satisfying  the  condition  that  the  DONE  event  occurs  at  a  time  in  the  interval  [li,  (2  +  Lif 

We  specify  P  in  terms  of  a  timed  automaton  {A',  V),  defined  as  follows.  A'  has  two  states, 
active  and  inactive,  with  start  state  active,  and  a  single  action,  DONE,  which  is  an  output 
action  enabled  in  state  active  and  whose  effect  is  to  change  the  state  to  inactive.  The  boundmap 
V  assigns  to  the  single  class  DONE  the  lower  and  upper  bounds  li  and  (2+  )/3i  respectively. 

Note  that  the  timed  behaviors  of  (A*,V)  are  exactly  the  sequences  in  P. 


5.2.S  The  Proof 


In  this  subsection,  we  define  a  progress  function  collection  from  {A,b)  to  (A',b'),  which 
implies  that  every  timed  behavior  of  {A,b)  satisfies  P.  The  progress  function  collection, 
{f,9DONSihDONB)t  Has  /(s.6ostc)  =  active  if  s.done  =  false  and  inactive  if  s.done  =  true, 
and 


irDONB(^) 

and 

hootfai^) 


f  s.laatiY)  +  (s.x  +  2  +  )/,  if  j.y  =  0  and  s.first{X)  <  3.last(Y) 

I  s.laat{X)  +  S.X  '  I3  otherwise, 

I  s.first{X)  +  (s.x  +  2)li  if  s.y  =  0  and  s.fir8t{Y)  >  s.last{X) 

\  s.first{X)  +  s.x  •  li  otherwise. 


We  pve  some  intuition  for  the  first,  more  complicated  case  of  each  inequality.  For  the  upper 
bound,  this  is  the  case  where  another  step  of  X  can  occur  before  the  next  (and  only)  step  of 
y  occurs.  In  this  case,  [^*-****ty,l-*’l*''**(^lj  measures  how  many  additional  steps  of  X  (after  the 

indicated  step  of  X)  can  fit  before  Y  must  take  a  step,  and  (s.x  +  2  +  J 

is  the  longest  time  it  can  take  from  the  time  SET  occurs  (wUch  is  at  most  s.last{Y))  until 
DONE  occurs.  In  more  detail,  at  the  time  the  SET  occurs,  the  value  of  x  is  at  most  s.x  + 1  + 
j  ^  BO  it  takes  this  number  of  DEC  events  (each  consuming  at  most  I3  time) 
until  X  gets  set  to  0,  and  at  most  another  I2  until  DONE  occurs. 

For  the  lower  bound,  the  first  case  is  the  case  where  another  step  of  X  must  occur  before 
the  next  (and  first)  step  of  Y  occurs.  In  this  case,  x  will  be  increased  at  time  at  least  s.fir8t{X) 
and  it  will  take  at  least  x  +  1  DEC  operations  (each  consuming  at  least  li  time)  until  x  gets 
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set  to  0  and  another  li  time  until  DONE  occurs.  The  second  cases  of  both  inequalities  are 
similar,  but  simpler. 

Again,  since  there  is  only  one  class  in  the  partition  of  A',  we  will  drop  the  subscript  DONE 
on  the  progress  functions  for  the  rest  of  this  example,  writing  simply  g  and  h  in  place  of  gooNB 
and  hjjoffB- 

Lemma  5.4  The  triple  is  a  progress  function  collection  from  (A,  6)  to  {A',b'). 

Proof;  Let  s  be  the  unique  start  state  of  time{A,b).  Then  s.first{X)  =  s.fir3t{Y)  =  li, 
s.last{X)  =  s.last(Y)  =  ia,  s.i  =  s.y  =  0,  and  s.done  =  false.  Then 

*1 

=  *3  +  (2  +  L  * 

=  (2+l||j)i., 

and 

h{s)  =  s.first{X)  +  s.x  •  /^  =  Ij. 

Let  V  =  f{s.basic).  Then  v  =  active^  by  definition  of  /,  which  is  the  start  state  of  A'. 
Also,  b'^(DONE)  =  (2  +  )/3  =  g(s)  and  bi(DONE)  =  =  h(s).  This  shows  Condition  1  of 

Definition  4.2. 

Now  we  show  Condition  2.  Suppose  that  s'  is  a  reachable  state  of  time{A,  b)  and  (s',  (x,  t),  s) 
is  a  step  of  time{A,b),  where  ir  is  nonnull.  Also  suppose  that  v'  =  f {s'. basic)  and  v  = 
/(s.6asu:).  We  consider  cases. 

1.  ir  =  DONE. 

Then  s'.y  =  1,  s'.x  =  0,  s'. done  =  false,  and  s.done  =  true,  by  the  precondition 
and  effect  of  DONE  in  A,  and  s'.first{X)  <  t,  by  the  definition  of  time{A,b).  Also, 
v'  =  f  {s'. basic)  =  active  and  v  =  f{s. basic)  =  inactive. 

Let  a  be  the  execution  fragment  {v',DONE,v)  of  A'.  Condition  2(a)  is  immediate.  For 
Condition  2(b)i,  the  uniqueness  and  enabling  conditions  are  immediate;  moreover, 

t  >  s'.first{X), 

=  h{s')  since  s'.y  =  1  and  s'.x  =  0, 


as  needed. 

Condition  2(b)ii  is  vacuously  true,  since  a  DONE  event  occurs  in  a.  Condition  2(b)iii  is 
also  vacuously  true,  since  v  ^  enabled{A',  DONE). 
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2.  IT  =  SET. 

Then  s'.y  =  0,  s.y  =  1,  s*.x  =  s.x,  by  the  precondition  and  eflFect  of  SET  in  A.  Moreover, 
a' .done  =  a.done  =  false,  which  implies  that  v'  =  v  =  active.  Also,  s.last{X)  = 
s'.last{X),  s.firat{X)  =  s'.first{X),  s.last(X)  <  t  +  lay  t  <  3'.last{Y),  t  <  a' .laat{X)  and 
s'.firat{Y)  <  t,  by  definition  of  time(A,b). 

Let  a  be  the  trivial  execution  fra^gment  v"  of  A'.  Condition  2(a)  is  immediate,  and  2(b)i 
and  2(b)iii  are  vacuously  true.  For  Condition  2(b)ii,  we  must  show  that  g{a)  <  p(j')  and 
h(a)  >  h{a').  For  the  upper  bound,  we  consider  two  cases. 

(a)  a'.firat{X)  >  a'.laat{Y). 

Then 

^(d)  =  a.laat{X)  +  (s.z)/a  since  a.y  =  1, 

=  a\last{X)  +  {a'.x)la, 

=  9is% 

which  suffices. 

(b)  a'.firat(X)  <  ^.Uut{Y). 

Then 


s.last(X)  +  (a.x)la, 
t  +  /a  +  (^•*)la* 
t  +  (s'.®  +  2)la, 
s'.fajf(y)  +  {a'.x  +  2)fa» 

a'. lastly)  +  (s'.®  +  2  +  (— 


ios«(y)-s'.yir5t(A-),„ 
- Ta - 


as  needed. 

For  the  lower  bound,  we  see  that  af.fir8t{Y)  <  ^.last{X),  since  t  <  ^.laat(X)  and 
a\firat(Y)  <  t.  Therefore, 

A(s)  =  a.firat{X)  +  (s.®)/i, 

=  a\firai{X)  +  (a\x)li, 

= 


which  suffices. 
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3.  ir  =  INC. 

Then  a'.y  =  s.y  =  Q  and  a.®  =  a'.x  +  1,  by  the  definition  of  INC.  Also,  3'.first{X)  < 
t  <  s'.last{Y),  s.last(Y)  =  a'.laatfy),  a.la3t{X)  =  t  +  I2,  a.fir3t{X)  =  t  +  li,  and 
a.firat{Y)  <  t  +  1%,  by  definition  of  time{A,b).  Thus,  g{3')  =  a'.laat{Y)  +  {a'.x  +  2  + 

Let  a  be  the  trivial  execution  fragment  v'  of  A'.  As  before,  the  only  nontrivial  condition 
to  show  is  Condition  2(b)ii,  that  g{s)  <  g(a')  and  h(s)  >  h(3').  For  the  upper  bound,  we 
consider  two  cases. 


(a)  3.firat{X)  <  3.la3t{Y). 

Then  g{3)  =  3.la3t{Y)  +  (s.i  +  2  +  [— 


[oAtfr 


I3.  Now, 


-  3.fir8t{X)^  +  1  =  +  1 

h  h 


since  s.fir3t{X)  =  t  +  li, 

^  h 

^  ^5Ma5t(y)-y.yir5t(X)^ 

h 

since  t  >  ^.fir3t{X)  and  3.laat{Y)  =  3'.last{Y). 


=  y.Mi') + (-'■*  +  3  + 

<  v.Mi')  +  + 2  + 

= 

as  needed. 

(b)  3.firat{X)  >  3.Uut{Y). 

Then  g{a)  =  3.laat{X)  +  {3.x)li.  Then 

g{a)  =  3.laat{X)  + 

=  3.laat{X)  +  (s'.®  +  l)l3, 

=  4  +  ^3  +  (s'.®  +  l)/3> 

<  s' .Uut{Y^  "h  ^3  +  (s'.®  +  1)13 
=  s'.last{Y)  +  (s'.®  +  2)13 

/f  //  n  -  ^.first{X) 

<  3'.laat{Y)  +  (s'.®  +  2  +  [ - )l2 

n 
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since  3'.first{X)  <  s'.last{Y), 

= 

as  needed. 


For  the  lower  bound,  notice  that 

s.firat(Y)  <t  +  li<t  +  l2  =  3.last{X)  . 
Thus,  we  have  h(s)  =  3.fir3t(X)  +  There  are  two  cases. 


(a)  3'.fir3t{Y)  <  3‘.laat{X). 
Then 


h(s)  =  3.firat{X)  +  (3.x)Zi, 

>  3.first(X)  +  (s'.x)/i, 

>  t  +  (s'.x)Zi, 

>  3' .first{X)  +  {3' .x)li, 

=  h{s'), 

as  needed. 

(b)  3'.firat{Y)  >  3\la3t{X). 

Then 

A(s)  =  3.jirst{X)  +  (s.x)Zi, 

=  3.firat{X)  +  (a'.x  +  l)li, 

=  3.first{X)  -  Zi  +  (s'.x  +  2)li, 
=  t  +  (s'.x  +  2)/i, 

>  3f.fir3t{X)  +  (s'.x  +  2)Zi, 

=  hi3% 

as  needed. 


4.  IT  =  DEC. 

Once  again,  let  a  be  the  trivial  execution  fragment  v'  of  A'.  As  before,  the  only  nontrivial 
condition  to  show  is  Condition  2(b)ii,  that  5(3)  <  g{s')  and  h{3)  >  h{s').  By  the 
definition  of  DEC,  a'.y  =  s.y  =  1  and  3.x  =  s'.x  — 1.  Also,  a.Uut^X)  —  I+Z2, 3.firat{X)  = 
i  +  3\la3t{X),  and  t  >  3'.firat{X),  by  definition  of  time{A,  b). 

For  the  upper  bound,  we  have  that 

g{s)  =  3.laat{X)  +  {a.x)l2, 

=  t  +  la  + 

<  3'.Uut(^X)  +  Z2  "f"  (***)f2» 

=  3’.UutiX)  +  i3\x)l2, 

=  9{»% 
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as  needed. 

For  the  lower  bound,  we  have  that 


/i(s)  =  3.firat(X)  +  {3.x)li, 

=  <  +  +  (s.x)/i, 

>  3'.fir3t(X)  +  /i  + 

=  s'.iirst(jr)  +  (y.x)/i, 
=  his% 


as  needed. 

Now  consider  a  step  (s',  {NULL,  t),  s)  of  time{A,  b),  where  s'  is  a  reachable  state  of  time{A,  b). 
Condition  3(a)  of  Definition  4.2  is  immediate.  Now, 

.  f  s'.fast(y)  +  (s'.®  +  2  +  if  3\y  =  0  and  3'.fir3t{X)  <  3'.last{Y), 

^  I  3'.la3t{X)  4-  j'.x  •  I2  otherwise. 

Thus,  p(s')  >  min(s'./ast(y),s'.[ast(X)).  By  the  definition  of  ttme(i4,6),  it  must  be  that 
t  <  min(s'.<ast(y),s'.fast(X));  thus,  t  <  p(s'),  which  shows  Condition  3(b)i  of  Definition 
4.2.  For  Condition  3(b)ii,  note  that  there  are  no  changes  in  any  of  the  terms  involved  in  the 
definitions  of  g  and  h,  so  ^(s)  =  p(s')  and  h{s)  =  h(s').  ■ 

Theorem  5.5  All  timed  behaviors  of{A,b)  are  in  P. 

Proof:  As  for  Theorem  5.3,  using  Lemma  5.4.  ■ 


5.2.4  Discussion 

For  this  example,  the  bounds  we  have  proved  are  attainable.  That  is,  there  is  a  timed  execution 
of  (A,b)  for  which  the  time  until  a  DONE  event  occurs  is  exactly  li,  and  another  timed 
execution  for  which  the  time  until  a  DONE  event  occurs  is  exactly  (2  + 

For  example,  the  bound  li  is  realized  by  the  timed  execution  that  has  the  timed  schedule 
(SET,  li),  (DONE,  li).  The  bound  (2+  is  realized  by  the  timed  execution  having  the 
timed  schedule 

(INC,  0Z3),  (INC,  2a/,), . . . ,  (INC,  al,),  (SET,  /,), 

*1 

(DEC, 2/,), (DEC, 3/, ),..., (DBC, (1+  LrJ)/,). (DONE, (2+  (j^J)/,), 

*1  *1 

where  a  =  This  timed  execution  involves  the  SET  happening  at  the  latest  possible 

time,  /,.  The  maximum  possible  number  of  INC  events  occur  prior  to  the  SET,  and  the  last 
of  these  occurs  at  the  same  time  as  the  SET.  The  DEC  events  occur  as  late  as  possible. 
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6  Conclusions  and  Further  Work 


In  this  paper,  we  have  described  a  way  to  carry  out  assertional  proofs  for  timing  properties  of 
algorithms  that  have  timing  assumptions.  The  method  involves  expressing  an  algorithm  and 
its  timing  assumptions  as  a  timed  automaton  (A,  6),  and  expressing  the  timing  requirements 
in  terms  of  a  second  timed  automaton  {A\V).  Then  we  convert  the  timed  automata  (A,  5)  and 
(A',  V)  into  ordinary  (not  timed)  I/O  automata,  time{A,  b)  and  time{A*,  V)  respectively,  us¬ 
ing  a  general  construction  that  builds  predictive  timing  information  into  the  automaton  state. 
Then  the  goal  of  proving  timing  requirements  can  be  met  by  demonstrating  the  existence  of 
a  certain  type  of  mapping  called  a  “strong  possibilities  mapping”  from  the  “assumptions  au¬ 
tomaton”  time{A,h)  to  the  “requirements  automaton”  time{A',V).  One  way  of  demonstrating 
the  existence  of  such  a  mapping  is  based  on  a  collection  of  progress  functions,  each  desigpied 
to  measure  progress  toward  the  fulfillment  of  one  of  the  upper  or  lower  bound  requirements 
expressed  by  {A',V).  These  progress  functions  generalize  those  used  elsewhere  for  program 
verification  in  that  they  are  real-valued  rather  than  discrete,  and  that  they  are  used  for  lower 
as  well  as  upper  bounds. 

We  have  applied  this  method  in  this  paper  to  analyze  the  timing  properties  of  two  systems 
-  a  simple  resource-granting  system  and  a  race  system  involving  two  processes.  The  analyses 
of  these  two  examples  are  stisightforward;  they  consist  of  case  analyses  based  directly  on  the 
conditions  specified  in  the  definition  of  a  progress  function  collection.  The  style  and  level  of 
difficulty  of  these  proofs  is  exactly  the  same  as  that  of  typical  inductive  ptoofi  of  invariant 
assertions.  As  do  other  proofr  of  that  type,  these  remove  the  need  for  complex  dynamic 
arguments  about  the  behavior  of  the  algorithm,  replacing  them  with  simple  checks  involving 
individual  algorithm  steps.  Because  of  the  need  to  check  many  cases,  the  proofs  are  not 
extremely  short  (the  proof  for  each  of  our  examples  is  about  three  pages  long);  however,  this 
style  should  scale  very  wdl  because  of  the  local  nature  of  the  checks  performed.  Also,  as  for 
other  assertional  proofr,  it  seems  likely  that  proofr  using  this  method  can  someday  be  checked 
using  machine-verification  technology. 

We  do  not  have  an  easy  method  for  finding  an  appropriate  progress  frmction.  Just  as 
for  finding  invariant  assertions,  finding  the  right  progress  function  is  a  creative  task,  which 
depends  on  an  understanding  of  how  the  system  operates.  There  are  alternative  methods 
which  do  not  require  human  intervention,  e.g.,  those  based  on  model-checking  [4, 17].  However, 
these  methods  apply  only  to  finite-state  algorithms,  and  are  known  to  be  expensive  or  even 
undecidable  [4].  Moreover,  these  methods  do  not  pve  the  benefit  of  the  insights  provided  by 
a  good  invariant  or  progress  frmction. 

The  two  examples  in  this  paper  are  not  the  only  gr^mples  to  which  this  method  has  been 
applied,  fri  a  project  carried  out  for  Digital  Equipment  Corporation,  several  timing  properties 
(including  self-stabilization  properties)  were  proved  for  a  new  link  state  packet  distribution 
protocol  [18].  Some  of  the  timing  properties  proved  were  unexpected,  and  were  discovered  in 
the  course  of  applying  the  methods  of  this  paper.  Although  it  is  possible  to  provide  some 
informal  intuitions  for  these  properties  uung  ad  hoc  arguments,  we  do  not  know  a  better 


36 


way  than  the  method  of  this  paper  to  provide  complete  and  convincing  proofs  that  these 
properties  hold.  We  have  found  that  progress  functions  provides  a  natural  and  intuitive  way  of 
thinking  about  the  reasons  the  timing  properties  hold,  as  ell  as  a  basis  for  formal  correctness 
arguments.  Based  on  the  examples  that  have  been  tried  so  far,  we  believe  that  the  method 
may  be  practical  for  use  in  verifying  timing  properties  for  real  timing-based  algorithms.  It 
remains  to  test  this  hypothesis  by  applying  the  technique  to  more  examples;  good  sources  for 
examples  are  the  areas  of  real-time  computing  and  communication. 

In  some  of  the  proofs  we  give  for  the  DEC  protocol,  we  do  not  give  bounds  that  are  as 
tight  as  those  we  have  given  for  the  simple  examples  in  this  paper.  This  is  not  surprising:  in 
general,  for  complex  algorithms,  it  is  often  much  easier  to  prove  bounds  that  are  somewhat 
loose  than  to  prove  botmds  that  are  actually  attainable  by  some  execution.  The  method  of 
this  paper  supports  the  proof  of  loose  bounds  just  as  easily  as  that  of  tight  bounds. 

A  good  technique  for  proving  timing  properties  of  systems  with  timing  assumptions  should 
be  rigorous,  simple  and  general.  Our  technique  is  certainly  rigorous,  and  we  think  it  is  also 
reasonably  simple.  We  consider  its  generality.  Although  it  seems  to  us  that  timed  automata 
are  probably  sufficiently  general  to  describe  typical  implementations,  they  may  not  be  suffi¬ 
ciently  general  to  describe  all  interesting  requirements  specifications.  For  example,  as  currently 
defined,  they  cannot  specify  bounds  for  reaching  certain  states,  but  only  for  the  occurrence  of 
cert^  actions.  In  [27],  the  authors  express  a  similar  doubt,  and  address  it  by  generalizing  the 
notion  of  a  boundmap  to  include  certain  more  general  timing  conditions.  While  we  could  make 
a  similar  extension  here  (indeed,  we  do  make  such  an  extension  in  an  earlier  version  of  this 
paper  [21]),  the  extra  notation  required  for  doing  so  seems  to  obscure  the  essentially  simple 
ideas  of  our  method.  Moreover,  there  is  no  guarantee  that  the  resulting  extension  will  yet  be 
sufficiently  expressive.  (Although  we  state  a  completeness  result  in  [21]  for  the  generalized 
specifications,  this  completeness  result  is  rdative  to  the  restriction,  not  used  in  this  paper, 
that  the  underlying  automata  A  and  A'  are  identical.)  We  have  chosen  to  present  our  method 
here  using  a  model  that  is  possibly  somewhat  too  restrictive,  and  to  leave  the  appropriate 
generalization  for  future  work. 

It  remains  to  relate  our  method  to  other  methods  for  proving  timing  properties.  One 
method  we  have  considered  is  the  one  used  for  several  algorithms  in  [22],  based  on  bounding 
the  time  for  the  occurrence  of  intermediate  milestones.  Such  a  proof  can  be  expressed  by  a 
series  of  proofs  in  our  method,  one  for  each  intermediate  xnilestone.  A  good  example  to  consider 
is  the  tournament  algorithm  for  mutual  exclusion  in  [33].  The  proof  sketched  in  [22]  for  this 
algorithm  uses  recurrence  inequalities  to  bound  the  time  until  a  giv^n  process  wins  at  various 
levels  of  the  tournament  tree.  It  should  be  possible  to  recast  this  proof  as  a  sequence  of  proofs, 
one  for  each  level  of  the  tree,  where  the  proof  for  each  level  of  the  tree  is  a  generic  argument 
based  on  a  single  use  of  the  main  recurrence  inequality.  Although  we  have  not  worked  out  this 
example  in  det^,  we  have  done  a  complete  proof  [20,  21]  of  a  simpler  example  motivated  by 
this  one  (based  on  a  line  rather  than  a  tree).  In  principle,  it  seems  that  the  ideas  should  extend 
to  the  more  complex  example,  but  this  remains  to  be  done.  Some  other  techniques  to  relate 
to  this  one  include  those  based  on  bounded-time  temporal  logic  (e.g.,  [6]).  Also,  it  remains  to 
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see  how  proofs  using  our  techniques  can  be  applied  in  a  modular  way  for  the  verification  of 
timing  properties  of  large  and  complex  timing- based  systems. 
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